SSSD with AD provider deployment sizes
by Frank Pikelner
I just did a presentation at work to promote SSSD using the AD provider to replace an older nss_ldap and pam_ldap solution.
I have a question as someone had found a Red Hat document that suggested that deployments should be limited to 30 clients. I'm not sure if this is a current recommendation, but I'm interested if anyone has deployments with 5-10 thousand clients using the AD provider?
Frank
8 years, 9 months
ID mapping issue with Linux NFS client and server with AD DC KDC
by Delisle, John
Hello,
I'm working to get an NFSv4 client/server configuration working where the client and server are both CentOS 7.1, using Kerberos krb5p for encryption, and Windows Server 2012 R2 AD DC as the KDC.
- Both client and server are successfully joined to the domain using "realm join nebula.pw"
- Two users were added to AD: clientnfs and fsnfs, with UPNs like "nfs/client.nebula.pw" and "nfs/fs.nebula.pw"
- SPNs were added for bare hostnames via setspn.
- Both clientnfs and fsnfs have "require pre-auth disabled", and AES 128 and 256 enabled
- The keytabs for clientnfs and fsnfs were exported with ktpass and merged into /etc/krb5.keytab on the respective systems
- Users were created in AD (no special settings on them). I can SSH into both client and server using eg: "ssh someone@nebula.pw(a)client.nebula.pw"
Now, onto the problem..
- Using just AUTH_SYS, NFSv4 is working great with sssd correctly mapping IDs etc. between the client and server. Files have large-number UID/GID, belonging to the correct users. It appears sssd works great here. I SSH in as an AD user, cd to the mount, and can work as expected.
- Changing nothing but adding "sec=krb5p" to the exports and mounts, I run into issues. All users are assigned to nfsnobody. I'm not sure what is breaking down where. To elaborate, I am running "kinit -k nfs/client.nebula.pw" and "kinit -k nfs/fs.nebula.pw" on the client and server as root prior to mounting.
If there are other logs or debugging info that would be helpful please let me know.
"fs.nebula.pw" is the NFS server, "client.nebula.pw" is the NFS client, "dc.nebula.pw" is the ADDC, NEBULA.PW is the realm.
[root@fs /]# cat /etc/exports
/exports *(fsid=0,rw,insecure,no_subtree_check,no_root_squash,sec=krb5p)
/exports/data *(rw,sync,nohide,insecure,no_subtree_check,no_root_squash,sec=krb5p)
------------
[root@client ~]# history | grep mount
6 mount -tnfs4 -overs=4.1,sec=krb5p fs.nebula.pw:/data /data
----------
The following config files are identical on client and server, so I'm just including them once here:
[root@client ~]# grep -v -e '^ $' -e '^$' -e '^#' /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = NEBULA.PW
[realms]
NEBULA.PW = {
}
[domain_realm]
nebula.pw = NEBULA.PW
.nebula.pw = NEBULA.PW
----------
[root@client ~]# cat /etc/sssd/sssd.conf
[sssd]
domains = nebula.pw
config_file_version = 2
services = nss, pam
debug_level = 10
[domain/nebula.pw]
debug_level = 10
ad_domain = nebula.pw
krb5_realm = NEBULA.PW
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
----------------
[root@client ~]# grep -v -e '^$' -e '^#' /etc/idmapd.conf
[General]
Verbosity = 10
Domain = nebula.pw
[Mapping]
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
[Translation]
Method = sss
[Static]
[UMICH_SCHEMA]
LDAP_server = ldap-server.local.domain.edu
LDAP_base = dc=local,dc=domain,dc=edu
--------------
[root@client ~]# grep -v -e '^$' -e '^#' /etc/sysconfig/nfs
RPCNFSDARGS="-d -s"
RPCMOUNTDOPTS="-d all"
STATDARG=""
SMNOTIFYARGS=""
RPCIDMAPDARGS="-vvvv"
RPCGSSDARGS="-vvvv -n"
GSS_USE_PROXY="yes"
RPCSVCGSSDARGS="-vvvv"
BLKMAPDARGS=""
SECURE_NFS="yes"
RPCNFSDCOUNT=64
-----------
[root@client ~]# grep -v -e '^ $' -e '^$' -e '^#' /etc/request-key.d/id_resolver.conf
create id_resolver * * /usr/sbin/nfsidmap -vvvv %k %d
---------
Thanks!
John Delisle | Solution Architecture | Ceridian HCM | w: 204.975.5909 / 204.414.1285 |c: 204.294.5529
Ceridian. Makes Work Life Better(tm)
This communication is intended to be received only by the individual[s] or entity[s] to whom or to which it is addressed, and contains information which is confidential, privileged and subject to copyright. Any unauthorized use, copying, review or disclosure is prohibited. Please notify the sender immediately if you have received this communication in error [by calling collect, if necessary] so that we can arrange for its return at our expense. Thank you in advance for your anticipated assistance and cooperation.
Cette communication est destinée uniquement à la personne ou à la personne morale à qui elle est adressée. Elle contient de l’information confidentielle, protégée par le secret professionnel et sujette à des droits d'auteurs. Toute utilisation, reproduction, consultation ou divulgation non autorisées sont interdites. Nous vous prions d’aviser immédiatement l’expéditeur si vous avez reçu cette communication par erreur (en appelant à frais virés, si nécessaire), afin que nous puissions prendre des dispositions pour en assurer le renvoi à nos frais. Nous vous remercions à l’avance de votre coopération.
8 years, 9 months
gidNumber resolution problem
by Thackeray, Neil L
I'm new to sssd, so I'm not sure I have everything set up correctly, but from what I've seen setting up authentication against AD should be fairly easy.
I'm able to authenticate, and group lookups seem to work during authentication. When I look through the sssd domain log I see it going through my groups and enumerating users.
Unfortunately, it's not able to resolve my gidNumber which is in my personal LDAP entry in the user objectclass not in the group objectclass.
This log entry happens when I into ssh into the server or run 'groups' from the command line.
(Thu Jul 9 13:56:24 2015) [sssd[be[ad.mydomain.edu]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=182275)(objectclass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))][DC=ad,DC=mydomain,DC=edu].
Output of running 'groups' while my account is logged in:
groups: cannot find name for group ID 182275
182275
I'm in a lot of groups, so I can only assume that it tries to resolve my gidNumber, can't and gives up.
sssd version 1.11.5
sssd.conf
[sssd]
domains = ad.mydomain.edu
config_file_version = 2
services = nss, pam, pac
[domain/ad.mydomain.edu]
debug_level = 9
ad_domain = ad.mydomain.edu
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
realmd_tags = manages-system joined-with-samba
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
ignore_group_members = False
ipa_hbac_support_srchost = True
ad_access_filter = memberOf=CN=MyOU IT FT,OU=Groups - DLs,OU=ITS,OU=MyOU,OU=City,DC=ad,DC=mydomain,DC=edu
nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
Thanks for any help,
Neil
8 years, 9 months
SSSD - AIX support
by Frank Pikelner
We run a relatively large environment at work of Linux, Windows and AIX
servers - in the high thousands for each. Currently we are moving to use
SSSD to authenticate Linux admins with AD. Any opportunity to port SSSD for
support for AIX 6.x/7.x?
Frank
8 years, 9 months
Announcing SSSD 1.13.0 Alpha
by Jakub Hrozek
=== SSSD 1.13.0 ===
The SSSD team is proud to announce the release of version 1.13.0 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Support for separate prompts when using two-factor authentication was added
* Added support for one-way trusts between an IPA and Active Directory
environment. Please note that this SSSD functionality depends on IPA code
that is not released at the moment.
* The fast memory cache now also supports the initgroups operation.
* The PAM responder is now capable of caching authentication for configurable
period, which might reduce server load in cases where accounts authenticate
very frequently. Please refer to the cached_auth_timeout option in the
sssd.conf manual page.
* The Active Directory provider has changed the default value of the
ad_gpo_access_control option from permissive to enforcing. As a consequence,
the GPO access control now affects all clients that set access_provider to
ad. In order to restore the previous behaviour, set ad_gpo_access_control
to permissive or use a different access_provider type.
* Group Policy objects defined in a different AD domain that the computer
object is defined in are now supported.
* Credential caching and Offline authentication are also available when
using two-factor authentication
* Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users
and groups are now exposed as first-class objects. The users and groups
can also be marked as cached and would subsequently show up in the
Introspection output
* The DBus interface is now also able to look up User objects by
certificate. This is a first part of work that will eventually allow
smart-card authentication in SSSD.
* The LDAP cleanup task is now disabled by default, unless enumeration is
enabled. Please refer to the ldap_purge_cache_timeout option in case your
environment requires the cleanup task
* The Python bindings are now built for both Python2 and Python3
* The LDAP bind timeout, StartTLS timeout and password change timeout are
now configurable using the ldap_opt_timeout option
== Packaging Changes ==
* A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa
subpackage. The SSSD stores keytabs for one-way trust relationships in
this directory. Downstreams should make sure that the directory is only
readable to the user who runs the SSSD service.
* Several packaging changes are present in this release to support the
Python3 bindings, notably new python-sss and python-sss-murmur subpackages
are introduced in upstream RPM packaging
* All python bindings now have a Python3 and a Python2 version in the
upstream RPM packaging scheme
* The OpenSSL development library such as openssl-devel on RHEL/Fedora or
Debian/Ubuntu? libssl-dev is now required to support certificate operations
* A new internal library libsss_cert.so is present in this release.
* The fast initgroups memcache is represented by a new file
/var/lib/sss/mc/initgroups
== Documentation Changes ==
* The ad_gpo_access_control option default has changed from permissive
to enforcing
* The default value of ldap_purge_cache_timeout changed to 0, thus
effectivelly disabling the cleanup task.
* A new option cache_credentials_minimal_first_factor_length was added. This
option sets constraints on the password length if One-Time passwords
are used and credentials are to be cached. Please see the sssd.conf(5)
man page for more details
* The cached authentication is controlled by new option
cached_auth_timeout. By default the cached authentication is disabled.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/897
sssd should pass -d to nsupdate when running with high log level
https://fedorahosted.org/sssd/ticket/1501
Make the LDAP bind operation timeout configurable
https://fedorahosted.org/sssd/ticket/2150
[RFE] Expose listing calls over D-BUS
https://fedorahosted.org/sssd/ticket/2224
nsupdate stderr is not captured
https://fedorahosted.org/sssd/ticket/2236
The cleanup task has no DEBUG statements
https://fedorahosted.org/sssd/ticket/2326
SBUS: Flush the UID cache when we receive NameOwnerChanged
https://fedorahosted.org/sssd/ticket/2338
[RFE] Implement object caching on the bus
https://fedorahosted.org/sssd/ticket/2339
IFP: support multiple interfaces for object
https://fedorahosted.org/sssd/ticket/2540
SSSD does not update Dynamic DNS records if the IPA domain differs
from machine hostname's domain
https://fedorahosted.org/sssd/ticket/2569
In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA
user are not able to log unless use_fully_qualified_names is set
https://fedorahosted.org/sssd/ticket/2574
SSSD should be able to build python2 and python3 bindings in a one build
https://fedorahosted.org/sssd/ticket/2583
[RFE] Homedir is always overwritten with subdomain_homedir value in
server mode
https://fedorahosted.org/sssd/ticket/2593
Does sssd-ad use the most suitable attribute for group name?
https://fedorahosted.org/sssd/ticket/2603
Make SSSD's HBAC validation more permissive if deny rules are not used
https://fedorahosted.org/sssd/ticket/2609
[bug] sssd always appends default_domain_suffix when checking for host keys
https://fedorahosted.org/sssd/ticket/2618
Man sssd-ad(5) lists Group Policy Management Editor naming for some
policies but not for all
https://fedorahosted.org/sssd/ticket/2620
id_provider=proxy with auth_provider=ldap does not work reliably
https://fedorahosted.org/sssd/ticket/2625
Sudo responder does not respect filter_users and filter_groups
https://fedorahosted.org/sssd/ticket/2627
Disable the cleanup task by default
https://fedorahosted.org/sssd/ticket/2636
RFE: Fetch keytabs for one-way trusts in IPA subdomain code
https://fedorahosted.org/sssd/ticket/2638
RFE: Change ad_id_ctx instantiation in the IPA subdomain code to
support one-way trusts
https://fedorahosted.org/sssd/ticket/2645
[RFE] Support GPOs from different domain controllers
https://fedorahosted.org/sssd/ticket/2661
RFE: Change AD GPO default to enforcing
https://fedorahosted.org/sssd/ticket/2666
sssd with ldap backend throws error domain log
https://fedorahosted.org/sssd/ticket/1807
[RFE] authenticate against cache in SSSD
https://fedorahosted.org/sssd/ticket/2485
[RFE] The fast memory cache should cache initgroups
https://fedorahosted.org/sssd/ticket/2590
SSSD doesn't re-read resolv.conf if the file doesn't exist during boot
https://fedorahosted.org/sssd/ticket/2641
Add a IS_DEFAULT_VIEW macro
https://fedorahosted.org/sssd/ticket/2701
Kerberos-based providers other than krb5 do not queue requests
== Detailed Changelog ==
Jakub Hrozek (73):
* MAN: Fix a typo
* SYSDB: Reduce code duplication in sysdb_gpo.c
* UTIL: Make two child_common.c functions static
* TESTS: Cover child_common.c with unit tests
* LDAP: Use child_io_destructor instead of child_cleanup in a custom desctructor
* UTIL: Remove child_cleanup
* UTIL: Unify the fd_nonblocking implementation
* RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing
* PAM: print the pam status as string, too
* KRB5: More debugging for create_ccache()
* SDAP: Make simple bind timeout configurable
* SDAP: Make password change timeout configurable with ldap_opt_timeout
* SDAP: Make StartTLS bind configurable with ldap_opt_timeout
* SDAP: Decorate the sdap_op functions with DEBUG messages
* IPA: Remove the ipa_hbac_treat_deny_as option
* MAN: Clarify debug_level a bit
* SSH: Ignore the default_domain_suffix
* LDAP: Set sdap handle as explicitly connected in LDAP auth
* tests: Revert strcmp condition
* ncache: Fix sss_ncache_reset_permanent
* ncache: Silence critical error from filter_users when default_domain_suffix is set
* ncache: Add sss_ncache_reset_repopulate_permanent
* responders: reset ncache after domains are discovered during startup
* NSS: Reset negcache after checking domains
* MAN: Clarify how are GPO mappings called in GPO editor
* UTIL: Add a simple function to get the fd of debug_file
* dyndns: Log nsupdate stderr with a high debug level
* nsupdate: Append -d/-D to nsupdate with a high debug level
* subdom: Remove unused function get_flat_name_from_subdomain_name
* nss: Use negcache for getbysid requests
* tests: Add NSS responder tests for bysid requests
* LDAP: disable the cleanup task by default
* TESTS: Use the right testcase
* TESTS: Add test for get_next_domain
* LDAP: Do not print verbose DEBUG messages from providers that don't set UUID
* SYSDB: Store trust direction for subdomains
* UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private
* TESTS: Add a test for sysdb_subdomains.c
* SYSDB: Add realm to sysdb_master_domain_add_info
* SYSDB: Add a forest root attribute to sss_domain_info
* IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers
* IPA: Check master domain record before subdomain records
* IPA: Fold ipa_subdom_enumerates into ipa_subdom_store
* IPA: Also update master domain when initializing subdom handler
* IPA: Move server-mode functions to a separate module
* IPA: Split two functions to new module ipa_subdomains_utils.c
* IPA: Include ipaNTTrustDirection in the attribute set for trusted domains
* IPA: Read forest name for trusted forest roots as well
* IPA: Make constructing an IPA server mode context async
* TESTS: Split off keytab creation into a common module
* TESTS: Add a common mock_be_ctx function
* TESTS: Add a common function to set up sdap_id_ctx
* TESTS: Move krb5_try_kdcip to nested group test
* TESTS: Add unit test for the subdomain_server.c module
* IPA: Fetch keytab for 1way trusts
* AD: Rename ad_set_ad_id_options to ad_set_sdap_options
* AD: Rename ad_create_default_options to ad_create_2way_trust_options
* AD: Split off ad_create_default_options
* IPA/AD: Set up AD domain in ad_create_2way_trust_options
* IPA: Do not set AD_KRB5_REALM twice
* AD: Add ad_create_1way_trust_options
* IPA: Utility function for setting up one-way trust context
* LDAP: Do not set keytab through environment variable
* LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour
* CONFIG: Add SSS_STATEDIR as VARDIR/lib/sss
* BUILD: Store keytabs in /var/lib/sss/keytabs
* Updating the translations for the 1.13 Alpha release
* Updating the version.m4 file for the 1.13 Beta release
* tests: Reduce duplication with new function test_ev_done
* KRB5: Add and use krb5_auth_queue_send to queue requests by default
* PAM: Only cache first-factor
* Updating the translations for the 1.13.0 release
* Updating the version for the 1.13.0 release
John Dickerson (1):
* MAN: Amend the description of ignore_group_members
Lukas Slebodnik (67):
* MAN: Remove indentation in element programlistening
* Fix warning: for loop has empty body
* Bump version to track 1.13 development
* SPEC: Use libnl3 for epel6
* MAKE: Don't include autoconf generated file to tarball
* TESTS: Mock return value of sdap_get_generic_recv
* test_nested_groups: Additional unit tests
* Fix warning: equality comparison with extraneous parentheses
* LDAP: Conditional jump depends on uninitialised value
* BUILD: Remove unused libraries for pysss.so
* BUILD: Remove unused variables
* BUILD: Remove detection of type Py_ssize_t
* UTIL: Remove python wrapper sss_python_set_new
* UTIL: Remove python wrapper sss_python_set_add
* UTIL: Remove python wrapper sss_python_set_check
* UTIL: Remove compatibility macro PyModule_AddIntMacro
* UTIL: Remove python wrapper sss_python_unicode_from_string
* BUILD: Use python-config for detection *FLAGS
* SPEC: Use new convention for python packages
* SPEC: Move python bindings to separate packages
* BUILD: Add possibility to build python{2,3} bindings
* TESTS: Run python tests with all supported python versions
* SPEC: Replace python_ macros with python2_
* SPEC: Build python3 bindings on available platforms
* BUILD: Uninstall also symbolic links to python bindings
* Remove unused argument from be_nsupdate_create_fwd_msg
* IPA: Remove unused argument from ipa_id_get_group_uuids
* Remove useless assignment to function parameter
* PAC: Fix memory leak
* responder_cache: Fix warning may be used uninitialized
* debug-tests: Fix test with new line in debug message
* BUILD: Add missing header file to tarball
* pam_client: fix casting to const pointer
* test_expire: Use right assertion macro for standard functions
* test_ldap_auth: Use right assertion for integer comparison
* test_resolv_fake: Fix alignment warning
* PAC: Remove unused function
* KRB5: Unify prototype and definition
* util-tests: Initialize boolean variable to default value
* SPEC: Drop workaround for old libtool
* SPEC: Drop workarounds for old rpmbuild
* SPEC: Remove unused option
* SPEC: Few cosmetic changes
* simple_access-tests: Simplify assertion
* sysdb-tests: Add missing assertions
* sysdb-tests: test return value before output arguments
* ad_opts: Use different default attribute for group name
* BUILD: Write hints about optional python bindings
* sss_client: Fix mixed enums
* LDAP: Remove dead assignment
* sss_client: Fix warning "_" redefined
* SSSDConfigTest: Use unique temporary directory
* util-tests: Add validation of internal error messages
* SDAP: Check return value before using output arguments
* SDAP: Log failure from sysdb_handle_original_uuid
* test_ipa_subdomains_server: Run clean-up after success
* IFP: Fix warnings with enabled optimisation
* SDAP: Remove user from cache for missing user in LDAP
* test_ipa_subdom_server: Add missing assert
* test_ipa_subdomains_server: Fix build with --coverage
* nss: Store entries in responder to initgr mmap cache
* mmap_cache: Invalidate entry in right memory cache
* nss: Invalidate entry in initgr mmap cache
* sss_client: Use initgr mmap cache in client code
* sss_cache: Clear also initgroups fast cache
* sss_client: Use unique lock for memory cache
* sss_client: Re-check memcache after acquiring the lock
Michal Zidek (5):
* Use FQDN if default domain was set
* MAN: default_domain_suffix with use_fully_qualified_names.
* views: Add is_default_view helper function
* MONITOR: Poll for resolv.conf if not available during boot
* MONITOR: Do not report missing file as fatal in monitor_config_file
Nikolai Kondrashov (3):
* BUILD: Add AM_PYTHON2_MODULE macro
* Add integration tests
* BUILD: Fix variable substitution in cwrap.m4
Pavel Březina (53):
* tests: refactor create_dom_test_ctx()
* tests: add create_multidom_test_ctx()
* tests: add test_multidom_suite_cleanup()
* tests: remove code duplication in single domain cleanup
* responders: new interface for cache request
* responders: enable views in cache request
* IFP: use new cache interface
* server-tests: use strtouint32 instead strtol
* sbus: add new iface via sbus_conn_register_iface()
* sbus: move iface and object path code to separate file
* sbus: use 'path/*' to represent a D-Bus fallback
* sbus: support multiple interfaces on single path
* sbus: add object path to sbus request
* sbus: add sbus_opath_hash_lookup_supported()
* sbus: support org.freedesktop.DBus.Introspectable
* sbus: support org.freedesktop.DBus.Properties
* sbus: unify naming of handler data variable
* sbus: move common opath functions from ifp to sbus code
* sbus: add sbus_opath_get_object_name()
* ifp: fix potential memory leak in check_and_get_component_from_path()
* sbus: use hard coded getters instead of generated
* sbus: remove unused 'reply as' functions
* IFP: move interface definitions from ifpsrv.c into separate file
* IFP: unify generated interfaces names
* sbus codegen: do not prefix getters with iface name
* IFP: simplify object path constant names
* sbus: add constant to represent subtree
* be_refresh: get rid of callback pointers
* sysdb: use sysdb_user/group_dn
* cache_req tests: rename test_user to test_user_by_name
* cache_req tests: define user name constant
* cache_req: preparations for different input type
* cache_req: add support for user by uid
* cache_req: add support for group by name
* cache_req: remove default branch from switches
* cache_req: add support for group by id
* cmocka: include mock_parse_inp in header file
* cache_req: parse input name if needed
* cache_req: return ERR_INTERNAL if more than one entry is found
* sbus: provide custom error names
* sbus: add sbus_opath_decompose[_exact]
* sbus: add a{sas} get invoker
* IFP: add org.freedesktop.sssd.infopipe.Users
* IFP: add org.freedesktop.sssd.infopipe.Users.User
* IFP: add org.freedesktop.sssd.infopipe.Groups
* IFP: add org.freedesktop.sssd.infopipe.Groups.Group
* IFP: deprecate GetUserAttr?
* IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object]
* SBUS: Use default GetAll? invoker if none is set
* SBUS: Add support for <node /> in introspection
* IFP: Export nodes
* sbus: add support for incoming signals
* sbus: listen to NameOwnerChanged?
Pavel Reichl (20):
* add missing '\n' in debug messages
* PROXY: add missing space in debug message
* BUILD: fix chmake not to generate warning
* SDAP: log expired accounts at lower severity level
* KRB5: add debug hint
* TESTS: test expiration
* ldap: refactor check_pwexpire_kerberos to use util func
* ldap: refactor nds_check_expired to use util func
* Fix a few typos in comments
* sbus: sbus_opath_hash_add_iface free tmp talloc ctx
* krb5: remove field run_as_user
* localauth plugin: fix coverity warning
* dyndns: remove dupl declaration of ipa_dyndns_update
* dyndns: don't pass zone directive to nsupdate
* dyndns: ipa_dyndns.h missed declaration of used data
* krb: remove duplicit decl. of write_krb5info_file
* IPA: Don't override homedir with subdomain_homedir
* sysdb: new attribute lastOnlineAuthWithCurrentToken
* PAM: authenticate agains cache
* Minor code improvements
Stephen Gallagher (5):
* LDAP: Support returning referral information
* AD GPO: Support processing referrals
* AD GPO: Change default to "enforcing"
* Add Vagrant configuration for SSSD
* GPO: Fix incorrect strerror on GPO access denial
Sumit Bose (22):
* Add leak check and command line option to test_authtok
* utils: add sss_authtok_[gs]et_2fa
* pam: handle 2FA authentication token in the responder
* Add pre-auth request
* krb5-child: add preauth and split 2fa token support
* IPA: create preauth indicator file at startup
* pam_sss: add pre-auth and 2fa support
* Add cache_credentials_minimal_first_factor_length config option
* sysdb: add sysdb_cache_password_ex()
* krb5: save hash of the first authentication factor to the cache
* krb5: try delayed online authentication only for single factor auth
* 2FA offline auth
* pam_sss: move message encoding into separate file
* PAM: add PAM responder unit test
* adding ldap_user_auth_type where missing
* LDAP: add ldap_user_certificate option
* certs: add PEM/DER conversion utilities
* sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert()
* LDAP/IPA: add user lookup by certificate
* ncache: add calls for certificate based searches
* utils: add get_last_x_chars()
* IFP: add FindByCertificate? method for User objects
8 years, 9 months
Race condition between SSSD & autofs on Ubuntu 14.04
by Ondrej Valousek
Hi list,
I have spotted a strange issue with SSSD on Ubuntu 14.04 when using sssd to provide maps for automounter. When I start the machine with completely clean SSSD cache (rm -rf /var/lib/sssd/db/*, reboot), I can not login.
The only fix is to restart automounter & try again.
Funny thing is, that this procedure is only needed once - after all subsequent reboots it works just fine.
I know there is a bug with SSSD not able to respond fast enough to the automounter when enumeration is switched on. This is not my case (have enumeration disabled).
Is this something well known?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years, 9 months
AD site recognition with sssd version 1.11.5
by Ondrej Valousek
Hi List,
I am just trying to run sssd on Ubuntu 14.04 and it seems to be unable to detect the proper AD site it belongs to.
The thing is, that in order to detect the proper site, it needs to connect to some (random) AD controller first.
In our scenario, the box is only allowed to connect to the controller that belongs to the current AD site. Everything else is blocked by the firewall.
So what happens is:
1. Sssd starts
2. DNS SRV lookup for the dns domain discovers 15 domain controllers
3. SSSD tries randomly (couple of them) connect them - one by one
4. If we are unlucky, none of the first 1-2 controllers found belongs to the current site
5. SSSD bails out with timeout, marking the whole AD backend offline
The solution would probably be to connect all of them at once or extend the timeout after each attempt.
What do you think?
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years, 9 months
SSSD 1.11.7 missing libsss_ad.so
by Frank Pikelner
I decided to get SSSD working on FreeBSD/PCBSD 10.1 using the AD provider. I got everything configured and when starting SSSD daemon an error is reported that libsss_ad.so is missing. Checking /usr/local/lib/sssd/ the file is in fact missing.
I've checked the BSD ports collection contents of SSSD and it is also not there.
Googling, I noticed similar problem reported on Suse forums:
https://forums.suse.com/showthread.php?4996-Issue-configuring-SSSD-missin...
Is this a known problem as I did not see any fixes?
Frank
8 years, 9 months