full_name_format and supplemental groups
by Orion Poplawski
Running IPA with an AD trust. Users are in AD. Trying to use
full_name_format = %1$s to strip the domain from user names. This appears to
break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion(a)ad.nwra.com
uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com)
groups=470202603(orion(a)ad.nwra.com),470200513(domain
users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless
access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder(a)ad.nwra.com),470207608(heimdall
users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas
admins(a)ad.nwra.com)
With:
# id orion(a)ad.nwra.com
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion
uid=470202603(orion) gid=470202603(orion)
groups=470202603(orion),470200512(domain admins),470207608(heimdall
users),470204714(wireless
access),470204715(nwra-users),470204701(boulder),470204703(pirep rd
users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on
to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s
and default_domain_suffix = ad.nwra.com):
# id orion(a)ad.nwra.com
id: orion(a)ad.nwra.com: no such user
# id orion
id: orion: no such user
>From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and
default_domain_suffix):
# id orion
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member]
(0x0400): Error: 2 (No such file or directory)
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex]
(0x0020): Could not add member [orion] to group [name=domain
admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of
"cn=groups,cn=ad.nwra.com,cn=sysdb"
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
7 years, 1 month
sssd able to login the user but failed on sudo
by Karim
Hi Team,
i have two forests both working fine in terms of authentication.
I added a user to sudoers from one of the domains and he is getting access denied.
the user is able to login with no problem, sudo is not working.
in the secure log it shows "account is expired"
in the SSSD logs it shows error
"attempting to kinit for realm xxxxxx" then
"clients credentials has been revoked"
i checked the account and it is not expired nor locked.
additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false
but the problem remains.
what could be the reason behind being able to access and later getting clients credential revoked for sudoes?
Thanks
8 years, 7 months
simple_allow_groups does not work: 4 (system error )
by Domenico Viggiani
Hi,
on a Red hat 7.1 machine with latest updates, sssd/realmd authentication
against AD works until I try to use simple_allow_groups, when access is
denied for all with this error:
pam_sss(sshd:account): Access denied for user testuser: 4 (System error)
Setting debug_level = 7, at the end of the log, I see:
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[simple_resolve_group_check] (0x1000): The group is still non-POSIX
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[simple_resolve_group_done] (0x0040): Refresh failed
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[simple_check_get_groups_next] (0x0040): Could not resolve name of group
with GID 684028039
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[simple_access_check_done] (0x0040): Could not collect groups of user
testuser
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>)
[Success]
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[be_pam_handler_callback] (0x0100): Sending result [4][MYDOMAIN.COM]
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[be_pam_handler_callback] (0x0100): Sent result [4][MYDOMAIN.COM]
Full log is available but I need to "sanitize" it.
Any help?
Thanks in advance
--
Mimmo
8 years, 7 months
RHEL/CentOS 6 problems with missing supplemental groups for AD users
by John Beranek
Hi,
I've been investigating problems with the SSSD 1.11 versions supplied in
RHEL/CentOS 6.6 for a while now. I've followed:
https://access.redhat.com/solutions/1264443
https://fedorahosted.org/sssd/ticket/2472
and also created a case with Red Hat support. However, I'm still no closer
to solving the issue.
After updating servers to the SSSD in 6.6, intermittently (for particular
users but not on all servers, and not necessarily all the time) users don't
get their supplementary groups. e.g:
[root@rhel6-template sssd]# id matthewbe
uid=46721(matthewbe) gid=20513(domain users) groups=20513(domain users)
This is with the latest SSSD on a RHEL6.6 server, i.e.:
sssd-1.11.6-30.el6_6.3.x86_64
Our environment is Windows 2003 AD controllers, and users *without* POSIX
attributes in their AD records. So, snippets of sanitised sssd.conf:
[domain/AD]
debug_level = 9
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_server = dc01.local,dc02.local
ad_backup_server = ad.local
ad_domain = ad.local
# ID mapping
min_id = 20000
ldap_idmap_range_min = 20000
#ldap_idmap_range_max = 220000
ldap_idmap_range_size = 200000
ldap_idmap_default_domain_sid = S-1-5-21-2365159532-2245169678-2931239768
ldap_schema = ad
ldap_id_mapping = true
override_homedir = /home/AD/%u
override_shell = /bin/bash
# access controls
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
# performance
ldap_referrals = false
I've tried a few config changes to fix the issue, but none has fixed it,
including:
ldap_use_tokengroups = False
ldap_group_objectsid = objectSID
ldap_user_objectsid = objectSID
ldap_deref_threshold = 0
ldap_schema = rfc2307bis
Given Red Hat support hasn't been able to fix our issue, what else can I do?
Cheers,
John
--
John Beranek To generalise is to be an idiot.
http://redux.org.uk/ -- William Blake
8 years, 8 months
ldb_modify_failed invalid attribute syntax
by Christopher Butt
Hi,
I'm trying to authenticate against an AD domain. The first domain I did this on was almost flawlessly easy, but this time, on a different domain I'm having problems. I've searched, but I've mostly got fixed bugs from old versions. Like this one: https://bugzilla.redhat.com/show_bug.cgi?id=886848 which suggests that case sensitivity might have been an issue. Is it still one?
My symptoms:
1) Some domain users aren't being recognised at all,
2) Some users are not getting the full groups list, eg just 'domain users'
3) Some users are connecting apparently fine with lots of AD groups visible from an 'id' or 'groups' command. So far it seems that the domain admins all work fine, but it's not clear if that's a coincidence or not.
I've set up SSDB using realmd as follows:
realm join -v internal.mydomain.com --user jn-monty --computer-ou=OU=Linux\ Servers,OU=Member\ Servers,DC=internal,DC=mydomain,DC=com
(jn-monty is a domain-admin in this case.)
[root@myserver admin]# sssd --version
1.12.2
[root@myserver admin]# cat /etc/sssd/sssd.conf
[sssd]
domains = internal.mydomain.com
config_file_version = 2
services = nss, pam, pac
[domain/internal.mydomain.com]
ad_domain = internal.mydomain.com
krb5_realm = INTERNAL.MYDOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
debug_level = 5
auth_provider = ad
If I 'id' a missing user I get the following in the logs:
[root@myserver admin]# id bqt-pmimon(a)internal.mydomain.com
(Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=bqt-pmimon]
(Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Invalid attribute syntax]
(Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sysdb_set_entry_attr] (0x0040): Error: 22 (Invalid argument)
(Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sdap_save_user] (0x0020): Failed to save user [BQT-PMimon]
(Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
(Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
id: bqt-pmimon(a)internal.mydomain.com: no such user
If I 'id' a working user I get the following:
[root@myserver admin]# id bqt-imartin(a)internal.mydomain.com
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=bqt-imartin]
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [child_sig_handler] (0x0100): child [14296] finished successfully.
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: myserver$
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'production-dc03v.internal.mydomain.com' as 'working'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'production-dc03v.internal.mydomain.com' as 'working'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][idnumber=680800513]
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.internal.mydomain.com'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=bqt-imartin]
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'production-dc03v.internal.mydomain.com' in files
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'production-dc03v.internal.mydomain.com' in files
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'production-dc03v.internal.mydomain.com' in DNS
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.Prodtown._sites.trainline.com'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.trainline.com'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'AD_GC' as 'resolved'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://production-dc03v.internal.mydomain.com'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://production-dc03v.internal.mydomain.com:3268'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://production-dc03v.internal.mydomain.com'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://production-dc03v.internal.mydomain.com'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [child_sig_handler] (0x0100): child [14297] finished successfully.
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: myserver$
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'production-dc03v.internal.mydomain.com' as 'working'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'production-dc03v.internal.mydomain.com' as 'working'
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute]
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_update_members_ex] (0x0020): Could not remove member [bqt-imartin] from group [name=DLG-SC-vCenter Admin,cn=groups,cn=internal.mydomain.com,cn=sysdb]. Skipping
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute]
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_update_members_ex] (0x0020): Could not remove member [bqt-imartin] from group [name=DLG-SC-Linux Admins,cn=groups,cn=internal.mydomain.com,cn=sysdb]. Skipping
(Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
uid=680803710(bqt-imartin(a)internal.mydomain.com) gid=680800513(domain users(a)internal.mydomain.com) groups=680800513(domain users(a)internal.mydomain.com)
[root@myserver admin]# id bqt-imartin(a)internal.mydomain.com
The information in this email (and any attachments) is confidential and is intended solely for the use of the individual or entity to whom it is addressed. If you received this email in error please tell us by reply email (or telephone the sender) and delete all electronic copies on your system or other copies known to you. Trainline Investments Holdings Limited (Registered No.5776685), Trainline.com Limited (Registered No. 3846791) and Trainline International Limited (Registered No. 6881309) are all registered in England and Wales with registered office at 50 Farringdon Road, London, EC1M 3HE.
8 years, 8 months
automount Problem
by Günther J. Niederwimmer
Hello,
On my system centos 7 my automount is not working.
IPA 4.1 sssd 1.12
I have this Error ?
automount[1899]: lookup_read_map: lookup(sss): getautomntent_r: No such file or
directory
have I to configure more in sssd ?
Now I have this from ipa
autofs_provider = ipa
ipa_automount_location = default
--
mit freundlichen Grüßen / best Regards,
Günther J. Niederwimmer
8 years, 8 months
Trouble with password authentication of AD users
by Orion Poplawski
I've got IPA running on an EL7.1 box for the domain NWRA.COM. I established a
trust with our active directory domain (AD.NWRA.COM). The trust seem to be
working mostly correctly, I can auto-login with AD kerberos tickets for example.
However, password authentication for the AD users does not appear to be working:
$ su - orion(a)AD.NWRA.COM
Password:
su: Authentication failure
sssd log shows:
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]]
[krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user
[orion(a)ad.nwra.com] found.
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [get_server_status] (0x1000):
Status of server 'ipa.nwra.com' is 'working'
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [get_port_status] (0x1000):
Port status of port 0 for server 'europa.nwra.com' is 'working'
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [get_server_status] (0x1000):
Status of server 'europa.nwra.com' is 'working'
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [be_resolve_server_process]
(0x1000): Saving the first resolved server
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [be_resolve_server_process]
(0x0200): Found address for server ipa.nwra.com: [X.X.X.X] TTL 86400
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [17483]
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [17483]
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [write_pipe_handler] (0x0400):
All data has been sent!
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [child_sig_handler] (0x1000):
Waiting for child [17483].
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [child_sig_handler] (0x0100):
child [17483] finished successfully.
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [read_pipe_handler] (0x0400):
EOF received, client finished
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [parse_krb5_child_response]
(0x1000): child response [0][3][40].
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [parse_krb5_child_response]
(0x1000): child response [0][-1073741822][18].
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [parse_krb5_child_response]
(0x1000): child response [0][-1073741823][32].
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [parse_krb5_child_response]
(0x1000): TGT times are [1427485903][1427485903][1427521903][1427572303].
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [parse_krb5_child_response]
(0x1000): child response [0][6][8].
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [krb5_auth_done] (0x0020): UPN
used in the request [Orion Poplawski(a)AD.NWRA.COM] and returned UPN
[orion(a)AD.NWRA.COM] differ by more than just the case.
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [ipa_auth_handler_done]
(0x0040): krb5_auth_recv request failed.
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 4, <NULL>) [Success]
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [be_pam_handler_callback]
(0x0100): Sending result [4][ad.nwra.com]
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [be_pam_handler_callback]
(0x0100): Sent result [4][ad.nwra.com]
The UPN message seems like an issue. Ideas?
ipa-server-4.1.0-18.sl7_1.3.x86_64
sssd-1.12.2-58.el7.x86_64
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
8 years, 8 months
sssd in a mixed 2003/2008 servers AD environment
by YVAN MASSON
Hi everybody,
First, thanks for this great tool !
With a very simple setup, it allows me to use dozens of *Ubuntu 14.04
(sssd version 1.11.5-1ubuntu3) computers in the AD environment of my
school, where I have two 2003 servers.
I tried to help a collegue to do the same in another school (where there
is a mix of 2003 and 2008 servers), but I failed : the problem seems to
come from Kerberos, because I found messages of this type in the sssd logs
: "... has no support for encryption type". The enrollment of the computer
in the realm was OK, but users login sometimes fails.
In some blog I can't find anymore, it was written that old encryption
types (DES) was not supported anymore on 2008 servers, so I tried to force
some Kerberos options ("krb5_use_kdcinfo = false" in sssd.conf and
"allow_weak_crypto = 1" in /etc/krb5.conf).
The sssd logs let think that /etc/krb5.conf is looked, but the result is
the same.
The only thing "working" was to prevent the computer to talk with the 2003
server with iptables, but this is a horrible and annoying hack.
So my question are :
- Does anyone alredy managed to use sssd in this type of environment ?
- Would you have any idea where to look for better debugging ?
Thanks very much,
Yvan Masson
8 years, 8 months
Using separate ldap servers for authentication and auto mount information
by Matt John
We are in the process of attempting to transition to SSSD mainly as we like the idea of a single configuration file.
We currently have two ldap servers (this cannot be changed) where one is used for user authentication and the other provides information on automounts. The ldap server used for automounts only contains a subset of the users in the other ldap server as not all users are able to, or have the need to, log into our systems.
So far we have been unsuccessful in getting SSSD to work for both authentication and autofs. We can get them to work independently but no amount of Googling has come up with a solution as how to combine the two.
All users share the same username in both servers and uid although the gid must come from the automount ldap server (both uid and gid are the same actually). Our conf file so far is given below with some information redacted.
Is it possible to combine the information from both the ldap servers using SSSD?
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, autofs
domains = authd, autofsd
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[autofs]
[domain/autofsd]
ldap_id_use_start_tls = True
cache_credentials = False
ldap_search_base = dc=test,dc=example.com
ldap_uri = ldap://ldap1.example.com/
ldap_tls_cacert = /etc/ssl/certs/example.pem
id_provider = ldap
autofs_provider = ldap
ldap_autofs_search_base = dc=test,dc=example.com
[domain/authd]
ldap_id_use_start_tls = True
cache_credentials = False
ldap_search_base = dc=test,dc=example.com
enumerate = False
chpass_provider = ldap
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap2.example.com/
ldap_tls_cacert = /etc/ssl/certs/example.pem
autofs_provider = none
8 years, 8 months
Re: [SSSD-users] sssd Ubuntu 14.04 LTS
by Timo Aaltonen
On 26.03.2015 16:19, Ludger Koehler wrote:
> Hi Timo,
>
> sorry but i have a Question.
>
> We use Ubuntu 14.04 LTS Server with sssd-ad to authenticate over Windows
> 2008 R2 AD and it works.
> But there is one Problem, "ad_access_filter" don't work.
>
> in sssd.conf the parameter
> access_provider = ad
> ad_access_filter =
> DOM:(&(objectCategory=Group)(objectClass=samaccountname)(|(ou=group1)(ou=group2)(ou=group3)))
>
> is set.
>
> Other Filter like
> ad_access_filter =
> (|(memberOf=cn=group1,ou=gruppen,ou=examle,dc=test,dc=de)(memberOf=cn=group2,ou=gruppen,ou=example,dc=test,dc=de)(memberOf=cn=group3,ou=gruppen,ou=example,dc=test,dc=de))
>
> don't work too.
>
> Do you have an idea, whats the Problem or is it a Bug?
I guess the sssd-users list is better for questions like these, I don't
know the answer off-hand.
(sssd version in 14.04 is still at 1.11.5 btw, if relevant here)
--
t
8 years, 8 months
