full_name_format and supplemental groups
by Orion Poplawski
Running IPA with an AD trust. Users are in AD. Trying to use
full_name_format = %1$s to strip the domain from user names. This appears to
break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion(a)ad.nwra.com
uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com)
groups=470202603(orion(a)ad.nwra.com),470200513(domain
users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless
access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder(a)ad.nwra.com),470207608(heimdall
users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas
admins(a)ad.nwra.com)
With:
# id orion(a)ad.nwra.com
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion
uid=470202603(orion) gid=470202603(orion)
groups=470202603(orion),470200512(domain admins),470207608(heimdall
users),470204714(wireless
access),470204715(nwra-users),470204701(boulder),470204703(pirep rd
users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on
to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s
and default_domain_suffix = ad.nwra.com):
# id orion(a)ad.nwra.com
id: orion(a)ad.nwra.com: no such user
# id orion
id: orion: no such user
>From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and
default_domain_suffix):
# id orion
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member]
(0x0400): Error: 2 (No such file or directory)
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex]
(0x0020): Could not add member [orion] to group [name=domain
admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of
"cn=groups,cn=ad.nwra.com,cn=sysdb"
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
7 years, 1 month
please do not remove enumeration from AD provider
by James Ralston
On Wed, May 6, 2015 at 4:27 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> You know, just this morning, I was thinking about enumeration. It
> doesn't work for IPA views at all for example. It doesn't work for
> trusted domains at all either (except for some limited support in AD
> trusted domains that is very untested)
>
> I wonder if we could just remove enumeration from IPA and AD back
> ends in some major release.
Please don't do this.
Enumeration is a very useful feature. It allows us to do things like
this:
$ getent passwd | grep -i lastname
The equivalent ldapsearch command is much more tedious:
$ ldapsearch -z 0 -E pr=2147483647/noprompt -o ldif-wrap=no -L -L -H
'ldap:///dc%3Dexample%2Cdc%3Dorg -Y GSSAPI -N -b "dc=example,dc=org"
"(&(objectClass=user)(cn=*lastname*))" dn cn sAMAccountName
More generically, enumeration is the way Unix/Linux has always worked.
Even getting users to change from:
grep -i lastname /etc/passwd
To this:
getent passwd | grep -i lastname
...has been a struggle.
We also have various services that (unfortuantely) pre-load the passwd
and group files at startup by enumerating them with getpwent_r() and
getgrent_r(), instead of using the get*nam_r() and get*id_r()
functions as-needed. These services break outright if enumeration is
disabled.
(Yes, these services are broken. Yes, they shouldn't do that. But our
ability to fix them is extremely limited at best, because we don't
control them.)
Finally, we have many systems that cannot be joined to Active
Directory (for policy reasons, not technical reasons). But we want to
use the same passwd/group entries on those systems as returned by sssd
on hosts that are joined to Active Directory. We do this by scraping
the output of "getent -s sss passwd" and "getent -s sss group" and
manually merging it into the local passwd and group files
(respectively) on these hosts.
> It's just a legacy feature, so those who need it can fall back to
> the LDAP provider..
But the LDAP provider doesn't support ID mapping; only the AD provider
does. And ID mapping is the main reason we use sssd.
I'm not asking you to make enumeration the default. It shouldn't be;
it should be something you only turn on if you need it, and you KNOW
you need it. But if you need it, you NEED it. Please don't take it
away.
7 years, 10 months
Kerberos + AD: session encryption
by l@avc.su
Hello.
I've configured domain membership for one linux server, and now I'm
trying to understand one thing. I can't figure out how SASL-GSSAPI
encrypts LDAP requests and GC interactions. As long as I understood
Kerberos, it's a protocol solely for authentication, and SASL-GSSAPI
gives it ability to encrypt all data transactions between authenticated
hosts. But this encryption is not mandatory.
I've done several queries via 'id' utility to generate traffic, and
captured it. All I can see is LDAP traffic to 389/tcp and 3268/tcp,
which is encrypted. I can decrypt it by loading host's keytab to
Wireshark.
We've disabled anonymous and insecure binds (without integrity checking
or SSL/TLS encryption) in AD, and didn't adjust minssf/maxssf parameters
on Linux. As long as I understood, AD does not require whole session
encryption, neither does Linux.
All authentication is done in SSSD (authconfig --enablesssd
--enablesssdauth).
To summarize: I want to understand, why SASL-GSSAPI encrypts whole
connection and not just auth phase, so I could be sure that one day all
connections wouldn't appear in plaintext on the network.
If I had more experience in programming, I've could find the answer in
source code (all hail to opensource) to fullfill my curiosity, but
unfortunately I can't do that, so I'll appreciate any help/hints/links
on the topic.
Kind regards.
8 years, 3 months
kvno out of sync and trust issues
by Carl Pettersson (BN)
Hi,
(Warning: It's been a looong day, and upon rereading, the below may not be entirely coherent. I'll gladly clarify in the morning where needed)
We've been struggling for several months with getting our Linux (a mix of CentOS 7 and RHEL 7.1) servers AD integrated. We have a Win2012R2 domain with two sites, and several cross-forest, one-way trusts, and at the moment we are mostly (see below) able to authenticate with accounts local to our domain. We currently have two problems (that we know of):
* After a few days, it is no longer possible to log in with a domain account. Restarting sssd mostly works, and if not, performing a domain join again does. What we've seen is that this seems to change the KVNO field of kinit -k, and we've seen an error message (which I can't find again at the moment, sorry) indicating that this is a problem. Oddly enough, on some of the servers which we still can log on to, the KVNO can be different from the one which we just "fixed". The KVNO seems to always be either 2 or 5, switching when we "fix" a server.
* Authenticating with an account from a trusted domain never works. I can ping domain controllers from the other domain, I can telnet all the AD ports I can think of (significantly, 389 and 88), and there's no real error message shown anywhere. Right now /var/log/secure complains about unknown users, and journalctl says "Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)". I can resolve both A and PTR records, both on local and remote domains.
I'm at a loss on how to continue with the troubleshooting. People are starting to mumble about requesting local accounts on all machines. Tonight, I tried throwing PBIS Open (previously Likewise) on a machine, and it just worked. I'd like to avoid PBIS, though, since it is a bit more opaque about how it works, and we'd probably end up having to pay to get the features we could get from sssd in a (mostly) more understandable and clean packaging. But this would at least seem to indicate that the issue is with our configuration, rather than some infrastructural problem?
Here's the configuration files:
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.MAIN-DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
[domain_realm]
/etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = AD.MAIN-DOMAIN.COM
[nss]
override_homedir = /home/%d/%u
override_shell = /bin/bash
[domain/AD.MAIN-DOMAIN.COM]
id_provider = ad
use_fully_qualified_names = TRUE
krb5_renew_interval = 1h
I tried replacing the krb5.conf file with the one generated by PBIS, but that didn't help, unfortunately.
Any ideas for things to try would be greatly appreciated!
Best regards,
Carl
8 years, 3 months
Question authentication SSSD with multi forests
by Anthony Gautier De Lahaut
Hi,
I would like to contact you because I have a problem with authentication
via SSSD .
I explain my problem...
I have 2 forest , LESLANDE.LOCAL and ESSONNE.LOCAL.
_LESLANDES.LOCAL is composed :_
- srv.LESLANDES.LOCAL /(WS 2012 R2 : AD (+ trust relationship) , DNS (+
DNS Forwarders)./
- client.LESLANDES.LOCAL (CentOS 6.7 : SSSD (sssd-1.12.4-47.el6.x86_64).
_ESSONNE.LOCAL is composed :_
- srv.ESSONNE.LOCAL /(WS 2012 R2 : AD (+ trust relationship) , DNS (+
DNS Forwarders)./
Domain users LESLANDES.LOCAL (ex : bwillis(a)LESLANDES.LOCAL) can loggin
in a client.LESLANDES.LOCAL but domain users ESSONNE.LOCAL doesn't work ....
I have follow and read differents topics but nothing....
https://fedorahosted.org/sssd/wiki/InternalsDocs#a4.2.MultipleDomainsandT...
http://jhrozek.livejournal.com/
....
Many thanks,
Regard,
Anthony.
PS : In attachment , detail of project (configuration and logs).
8 years, 3 months
multi ldap domains setup with conflicting uid/gid ranges.
by Pierre Neyron
Hi,
I would like to use SSSD to allow authentication on linux machines for
users managed in 2 LDAP bases.
While SSSD is capable of supporting several domains, it seems to only
allow to handle the case where uid/gid are well partitioned between the
bases, with no conflicts (each base having its own uid/gid range).
I'm wondering if there is any plan to add support in SSSD for
renumbering uid and gid in the case of bases which are not well
partitioned ?
Or if anyone already faced the problem and found a nice way to manage
such a use case ?
Thanks,
BR
--
Pierre
8 years, 3 months
Public ssh key in AD
by Davor Vusir
Hi!
We store our public ssh keys in AD user account (altSecurityIdentities).
Red Hat release 6.6/sssd 1.11.6. Adding
subdomains_provider = none
alone ends in not being able to get the public key but are asked for our
AD user accounts password.
Adding
ldap_groups_use_matching_rule_in_chain = True
ldap_initgroups_use_matching_rule_in_chain = True
makes the logon time so long that it seems that SSSD forgets the content
of the attribute altSecurityIdentities and we are asked for our AD user
accounts password. But logging on immediatly again we are asked for
public key verification.
Red Hat release 7.1/sssd 1.12.2. . Adding
subdomains_provider = none
alone ends in not being able to get the public key but are asked for our
AD user accounts password.
Adding
ldap_groups_use_matching_rule_in_chain = True
ldap_initgroups_use_matching_rule_in_chain = True
gives the same result. AD user accounts password only. But not the
extended logon time.
How come?
Regards
Davor vusir
8 years, 3 months
SL 6.x sssd-1.12.4-47 dereference processing failed I/O error
by John Desantis
Hello all,
First off, a big thanks to the developers for providing this piece of
software! Now, to the point!
I've recently run into the error(?) message below (/var/log/messages) on
some of our infrastructure nodes which have upgraded from sssd 1.9.x to
sssd-1.12.4-47:
sssd[be[rc.usf.edu]]: dereference processing failed : Input/output error
sssd[be[rc.usf.edu]]: dereference processing failed : Input/output error
Doing some online research and checking the list archives (2012-2015), I
found that other users with varied versions of sssd and Linux had run into
this issue as well. It was suggested that they should use
"ldap_deref_threshold = 0". A user also reported no errors after enabling
enumeration. I've done both on a test node and the message persists. I
even purged the db and cache without luck. I am using "error(?)" because I
am not experiencing any user/group resolution errors. All calls to getent
and id are successful.
A thread from February 2013 [1] had a suggestion to check LDAP with a deref
call and without. On the affected nodes, it does return a result; the OP
of that thread said that the deref call failed.
I also saw bug report for IPA 4.0 [2] that seems to reference the same
issue, but I'm not able to duplicate the problem.
There was an update to the LDAP servers via yum (minor bug fix revisions)
for 389ds and IPA, but nothing major. All other nodes running sssd-1.9.x
are not manifesting this message.
We're using FreeIPA (IPA server 3.0.0-47) with 389ds 1.2.11.15-60.
I can produce detailed logs upon request, but before doing so I was hoping
that the community could tell me if the message is a red herring and can be
safely ignored, or if there something else that should be checked. It's
just very odd that the older clients aren't manifesting the message and
these new clients are, even though nothing seems "broken".
[1]
https://lists.fedorahosted.org/pipermail/sssd-users/2013-February/000418....
[2] https://fedorahosted.org/freeipa/ticket/4389
Thanks for any information!
John DeSantis
8 years, 3 months
SSSD + AD: adcli, kerberos
by l@avc.su
Hi all.
I've enrolled linux machine into domain using this tutorial:
http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux
machine, or Windows machine. But I can't login using password anymore.
Although I can obtain user info, can request TGT, and operate on this
server normally, I can't login to it with pwd.
I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir
--update', so all auth should be done in SSSD. I haven't configured
winbind with sssd.
I've managed to workaround it by adding to /etc/pam.d/system-auth this
line:
auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or
maybe I'm wrong?
I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says:
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
(service pings)
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[pam]] [pam_cmd_authenticate] (0x0100): entering
pam_cmd_authenticate
[sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
[sssd[pam]] [pam_print_data] (0x0100): domain: not set
[sssd[pam]] [pam_print_data] (0x0100): user: ssh-username
[sssd[pam]] [pam_print_data] (0x0100): service: sshd
[sssd[pam]] [pam_print_data] (0x0100): tty: ssh
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971
[sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username
[sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD_GC'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri
'ldap://AD.domain.local'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC
uri 'ldap://AD.domain.local:3268'
[sssd[be[domain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100):
Setting AD compatibility level to [6]
[sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri
'ldap://AD.domain.local'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC
uri 'ldap://AD.domain.local'
[[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
name is: [hostname$(a)domain.LOCAL]
[[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Using
keytab [MEMORY:/etc/krb5.keytab]
[sssd[be[domain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout
is 900
[sssd[be[domain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind
mech: gssapi, user: hostname$
[sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [7973]
finished successfully.
[sssd[be[domain.local]]] [fo_set_port_status] (0x0100): Marking port 0
of server 'AD.domain.local' as 'working'
[sssd[be[domain.local]]] [set_server_common_status] (0x0100): Marking
server 'AD.domain.local' as 'working'
[sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success
[sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the
following data:
[sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
[sssd[pam]] [pam_print_data] (0x0100): domain: domain.local
[sssd[pam]] [pam_print_data] (0x0100): user: ssh-username
[sssd[pam]] [pam_print_data] (0x0100): service: sshd
[sssd[pam]] [pam_print_data] (0x0100): tty: ssh
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971
[sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username
[sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
[sssd[be[domain.local]]] [be_pam_handler] (0x0100): Got request with the
following data
[sssd[be[domain.local]]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
[sssd[be[domain.local]]] [pam_print_data] (0x0100): domain: domain.local
[sssd[be[domain.local]]] [pam_print_data] (0x0100): user: ssh-username
[sssd[be[domain.local]]] [pam_print_data] (0x0100): service: sshd
[sssd[be[domain.local]]] [pam_print_data] (0x0100): tty: ssh
[sssd[be[domain.local]]] [pam_print_data] (0x0100): ruser:
[sssd[be[domain.local]]] [pam_print_data] (0x0100): rhost:
it-a1867.domain.local
[sssd[be[domain.local]]] [pam_print_data] (0x0100): authtok type: 1
[sssd[be[domain.local]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[domain.local]]] [pam_print_data] (0x0100): priv: 1
[sssd[be[domain.local]]] [pam_print_data] (0x0100): cli_pid: 7971
[sssd[be[domain.local]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[domain.local]]] [krb5_auth_send] (0x0100): Home directory for
user [ssh-username] not known.
[sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri
'ldap://AD.domain.local'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC
uri 'ldap://AD.domain.local'
[[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): cmd [241] uid
[704417315] gid [704400513] validate [true] enterprise principal [true]
offline [false] UPN [ssh-username(a)DOMAIN.LOCAL]
[[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): ccname:
[FILE:/tmp/krb5cc_704417315_XXXXXX] old_ccname:
[FILE:/tmp/krb5cc_704417315_9XJZwx] keytab: [/etc/krb5.keytab]
[[sssd[krb5_child[7974]]]] [check_use_fast] (0x0100): Not using FAST.
[[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open
the PAC responder socket
[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_LIFETIME] from environment.
[[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100):
SSSD_KRB5_CANONICALIZE is set to [true]
(service pings)
[[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request
failed [-1][2].
[[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed,
group membership for user with principal
[ssh-username\@DOMAIN.LOCAL(a)DOMAIN.LOCAL] might not be correct.
[[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590:
[13][Permission denied]
[[sssd[krb5_child[7974]]]] [get_and_save_tgt] (0x0020): 1029:
[1432158209][Unknown code UUz 1]
[[sssd[krb5_child[7974]]]] [map_krb5_error] (0x0020): 1069:
[1432158209][Unknown code UUz 1]
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Backend
returned: (0, 4, <NULL>) [Success]
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sending
result [4][domain.local]
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sent result
[4][domain.local]
[sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][domain.local]
[sssd[be[ssh-username.local]]] [child_sig_handler] (0x0100): child
[7974] finished successfully.
Here's sssd.conf:
[domain/domain.local]
debug_level = 2
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
case_sensitive = false
cache_credentials = false
krb5_auth_timeout = 30
ad_domain = domain.local
ad_hostname = hostname.domain.local
ad_server = ad.domain.local, _srv_, ad2.domain.local
ad_backup_server = 192.168.0.13
ad_gpo_access_control = disabled
ldap_user_ssh_public_key = altSecurityIdentities
[sssd]
debug_level = 2
domains = domain.local
services = nss,pam,ssh
config_file_version = 2
[nss]
filter_users = root
filter_groups = root
default_shell = /bin/bash
override_homedir = /home/%d/%u
debug_level = 2
[pam]
debug_level = 2
offline_credentials_expiration = 7 # days
offline_failed_login_attempts = 6
offline_failed_login_delay = 5 # minutes
pam_pwd_expiration_warning = 5
[ssh]
debug_level=2
Here's nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
Here's krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.LOCAL = {
# using dns lookup, nothing to write here
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
8 years, 3 months
sssd fails - too many open files
by Ondrej Valousek
Hi list,
I have a problem with sssd is unable to authenticate anyone.
In logs I see:
(Thu Aug 27 08:52:56 2015) [sssd[be[default]]] [krb5_auth_done] (0x0020): child failed (24 [Too many open files])
(Thu Aug 27 08:53:18 2015) [sssd[be[default]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Thu Aug 27 08:53:18 2015) [sssd[be[default]]] [be_ptask_enable] (0x0080): Task [Check if online (periodic)]: already enabled
(Thu Aug 27 08:53:18 2015) [sssd[be[default]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Thu Aug 27 08:53:18 2015) [sssd[be[default]]] [fork_child] (0x0020): pipe failed [24][Too many open files].
(Thu Aug 27 08:53:18 2015) [sssd[be[default]]] [handle_child_send] (0x0020): fork_child failed.
(Thu Aug 27 08:53:18 2015) [sssd[be[default]]] [krb5_auth_done] (0x0020): child failed (24 [Too many open files])
(Thu Aug 27 08:53:20 2015) [sssd[be[default]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Thu Aug 27 08:53:20 2015) [sssd[be[default]]] [be_ptask_enable] (0x0080): Task [Check if online (periodic)]: already enabled
(Thu Aug 27 08:53:20 2015) [sssd[be[default]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Thu Aug 27 08:53:20 2015) [sssd[be[default]]] [fork_child] (0x0020): pipe failed [24][Too many open files].
(Thu Aug 27 08:53:20 2015) [sssd[be[default]]] [handle_child_send] (0x0020): fork_child failed.
(Thu Aug 27 08:53:20 2015) [sssd[be[default]]] [krb5_auth_done] (0x0020): child failed (24 [Too many open files])
Restart of the service fixes the problem.
Anyone seeing this?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years, 3 months
