full_name_format and supplemental groups
by Orion Poplawski
Running IPA with an AD trust. Users are in AD. Trying to use
full_name_format = %1$s to strip the domain from user names. This appears to
break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion(a)ad.nwra.com
uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com)
groups=470202603(orion(a)ad.nwra.com),470200513(domain
users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless
access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder(a)ad.nwra.com),470207608(heimdall
users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas
admins(a)ad.nwra.com)
With:
# id orion(a)ad.nwra.com
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion
uid=470202603(orion) gid=470202603(orion)
groups=470202603(orion),470200512(domain admins),470207608(heimdall
users),470204714(wireless
access),470204715(nwra-users),470204701(boulder),470204703(pirep rd
users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on
to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s
and default_domain_suffix = ad.nwra.com):
# id orion(a)ad.nwra.com
id: orion(a)ad.nwra.com: no such user
# id orion
id: orion: no such user
>From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and
default_domain_suffix):
# id orion
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member]
(0x0400): Error: 2 (No such file or directory)
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex]
(0x0020): Could not add member [orion] to group [name=domain
admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of
"cn=groups,cn=ad.nwra.com,cn=sysdb"
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
6 years, 11 months
please do not remove enumeration from AD provider
by James Ralston
On Wed, May 6, 2015 at 4:27 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> You know, just this morning, I was thinking about enumeration. It
> doesn't work for IPA views at all for example. It doesn't work for
> trusted domains at all either (except for some limited support in AD
> trusted domains that is very untested)
>
> I wonder if we could just remove enumeration from IPA and AD back
> ends in some major release.
Please don't do this.
Enumeration is a very useful feature. It allows us to do things like
this:
$ getent passwd | grep -i lastname
The equivalent ldapsearch command is much more tedious:
$ ldapsearch -z 0 -E pr=2147483647/noprompt -o ldif-wrap=no -L -L -H
'ldap:///dc%3Dexample%2Cdc%3Dorg -Y GSSAPI -N -b "dc=example,dc=org"
"(&(objectClass=user)(cn=*lastname*))" dn cn sAMAccountName
More generically, enumeration is the way Unix/Linux has always worked.
Even getting users to change from:
grep -i lastname /etc/passwd
To this:
getent passwd | grep -i lastname
...has been a struggle.
We also have various services that (unfortuantely) pre-load the passwd
and group files at startup by enumerating them with getpwent_r() and
getgrent_r(), instead of using the get*nam_r() and get*id_r()
functions as-needed. These services break outright if enumeration is
disabled.
(Yes, these services are broken. Yes, they shouldn't do that. But our
ability to fix them is extremely limited at best, because we don't
control them.)
Finally, we have many systems that cannot be joined to Active
Directory (for policy reasons, not technical reasons). But we want to
use the same passwd/group entries on those systems as returned by sssd
on hosts that are joined to Active Directory. We do this by scraping
the output of "getent -s sss passwd" and "getent -s sss group" and
manually merging it into the local passwd and group files
(respectively) on these hosts.
> It's just a legacy feature, so those who need it can fall back to
> the LDAP provider..
But the LDAP provider doesn't support ID mapping; only the AD provider
does. And ID mapping is the main reason we use sssd.
I'm not asking you to make enumeration the default. It shouldn't be;
it should be something you only turn on if you need it, and you KNOW
you need it. But if you need it, you NEED it. Please don't take it
away.
7 years, 8 months
Announcing SSSD 1.13.1
by Jakub Hrozek
== SSSD 1.13.1 ===
The SSSD team is proud to announce the release of version 1.13.1 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Initial support for Smart Card authentication was added. The feature
can be activated with the new pam_cert_auth option
* The PAM prompting was enhanced so that when Two-Factor Authentication
is used, both factors (password and token) can be entered separately
on separate prompts. At the same time, only the long-term password is
cached, so offline access would still work using the long term password
* A new command line tool sss_override is present in this release. The
tools allows to override attributes on the SSSD side. It's helpful in
environment where e.g. some hosts need to have a different view of POSIX
attributes than others. Please note that the overrides are stored in
the cache as well, so removing the cache will also remove the overrides
* New methods were added to the SSSD D-Bus interface. Notably support
for looking up a user by certificate and looking up multiple users
using a wildcard was added. Please see the interface introspection or
the design pages for full details
* Several enhancements to the dynamic DNS update code. Notably, clients
that update multiple interfaces work better with this release
* This release supports authenticating againt a KDC proxy
* The fail over code was enhanced so that if a trusted domain is not
reachable, only that domain will be marked as inactive but the backed
would stay in online mode
* Several fixes to the GPO access control code are present
== Packaging Changes ==
* The Smart Card authentication feature requires a helper process
p11_child that needs to be marked as setgid if SSSD needs to be able
to. Please note the p11_child requires the NSS crypto library at the moment
* The sss_override tool was added along with its own manpage
* The upstream RPM can now build on RHEL/CentOS 6.7
== Documentation Changes ==
* The config_file_version configuration option now defaults to 2. As
an effect, this option doesn't have to be set anymore unless the config
file format is changed again by SSSD upstream
* It is now possible to specify a comma-separated list of interfaces in
the dyndns_iface option
* The InfoPipe responder and the LDAP provider gained a new option
wildcard_lookup that specifies an upper limit on the number of entries
that can be returned with a wildcard lookup
* A new option dyndns_server was added. This option allows to attempt
a fallback DNS update against a specific DNS server. Please note this
option only works as a fallback, the first attempt will always be
performed against autodiscovered servers.
* The PAM responder gained a new option ca_db that allows the storage
of trusted CA certificates to be specified
* The time the p11_child is allowed to operate can be specified using
a new option p11_child_timeout
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/546
[RFE] Support for smart cards
https://fedorahosted.org/sssd/ticket/1697
sssd: incorrect checks on length values during packet decoding
https://fedorahosted.org/sssd/ticket/1926
[RFE] Start the dynamic DNS update after the SSSD has been setup for
the first time
https://fedorahosted.org/sssd/ticket/1994
Complain loudly if backend doesn't start due to missing or invalid keytab
https://fedorahosted.org/sssd/ticket/2275
nested netgroups do not work in IPA provider
https://fedorahosted.org/sssd/ticket/2283
test dyndns failed.
https://fedorahosted.org/sssd/ticket/2335
Investigate using the krb5 responder for driving the PAM conversation
with OTPs
https://fedorahosted.org/sssd/ticket/2463
Pass error messages via the extdom plugin
https://fedorahosted.org/sssd/ticket/2495
[RFE]Allow sssd to add a new option that would specify which server
to update DNS with
https://fedorahosted.org/sssd/ticket/2549
RFE: Support multiple interfaces with the dyndns_iface option
https://fedorahosted.org/sssd/ticket/2553
RFE: Add support for wildcard-based cache updates
https://fedorahosted.org/sssd/ticket/2558
Add dualstack and multihomed support
https://fedorahosted.org/sssd/ticket/2561
Too much logging
https://fedorahosted.org/sssd/ticket/2579
TRACKER: Support one-way trusts for IPA
https://fedorahosted.org/sssd/ticket/2581
Re-check memcache after acquiring the lock in the client code
https://fedorahosted.org/sssd/ticket/2584
RFE: Support client-side overrides
https://fedorahosted.org/sssd/ticket/2597
Add index for 'objectSIDString' and maybe to other cache attributes
https://fedorahosted.org/sssd/ticket/2637
RFE: Don't mark the main domain as offline if SSSD can't connect to
a subdomain
https://fedorahosted.org/sssd/ticket/2639
RFE: Detect re-established trusts in the IPA subdomain code
https://fedorahosted.org/sssd/ticket/2652
KDC proxy not working with SSSD krb5_use_kdcinfo enabled
https://fedorahosted.org/sssd/ticket/2676
Group members are not turned into ghost entries when the user is purged
from the SSSD cache
https://fedorahosted.org/sssd/ticket/2682
sudoOrder not honored as expected
https://fedorahosted.org/sssd/ticket/2688
Default to config_file_version=2
https://fedorahosted.org/sssd/ticket/2691
GPO: PAM system error returned for PAM_ACCT_MGMT and offline mode
https://fedorahosted.org/sssd/ticket/2692
GPO: Access denied due to using wrong sam_account_name
https://fedorahosted.org/sssd/ticket/2694
CI: Fix ramshackle test_ipa_subdomains_server (FAIL:
test_ipa_subdom_server)
https://fedorahosted.org/sssd/ticket/2699
SSSDConfig: wrong return type returned on python3
https://fedorahosted.org/sssd/ticket/2700
krb5_child should always consider online state to allow use of
MS-KKDC proxy
https://fedorahosted.org/sssd/ticket/2708
Logging messages from user point of view
https://fedorahosted.org/sssd/ticket/2711
[RFE] Provide interface for SSH to fetch user certificate
https://fedorahosted.org/sssd/ticket/2712
Initgroups memory cache does not work with fq names
https://fedorahosted.org/sssd/ticket/2716
Initgroups mmap cache needs update after db changes
https://fedorahosted.org/sssd/ticket/2717
well-known SID check is broken for NetBIOS prefixes
https://fedorahosted.org/sssd/ticket/2718
SSSD keytab validation check expects root ownership
https://fedorahosted.org/sssd/ticket/2719
IPA: returned unknown dp error code with disabled migration mode
https://fedorahosted.org/sssd/ticket/2722
Missing config options in gentoo init script
https://fedorahosted.org/sssd/ticket/2723
Could not resolve AD user from root domain
https://fedorahosted.org/sssd/ticket/2724
getgrgid for user's UID on a trust client prevents getpw*
https://fedorahosted.org/sssd/ticket/2725
If AD site detection fails, not even ad_site override skipped
https://fedorahosted.org/sssd/ticket/2729
Do not send SSS_OTP if both factors were entered separately
https://fedorahosted.org/sssd/ticket/2731
searching SID by ID always checks all domains
https://fedorahosted.org/sssd/ticket/2733
Don't use deprecated libraries (libsystemd-*)
https://fedorahosted.org/sssd/ticket/2737
sss_override: add import and export commands
https://fedorahosted.org/sssd/ticket/2738
Cannot build rpms from upstream spec file on rawhide
https://fedorahosted.org/sssd/ticket/2742
When certificate is added via user-add-cert, it cannot be looked up
via org.freedesktop.sssd.infopipe.Users.FindByCertificate
https://fedorahosted.org/sssd/ticket/2743
memory cache can work intermittently
https://fedorahosted.org/sssd/ticket/2744
cleanup_groups should sanitize dn of groups
https://fedorahosted.org/sssd/ticket/2746
the PAM srv test often fails on RHEL-7
https://fedorahosted.org/sssd/ticket/2748
test_memory_cache failed in invalidation cache before stop
https://fedorahosted.org/sssd/ticket/2749
Fix crash in nss responder
https://fedorahosted.org/sssd/ticket/2754
Clear environment and set restrictive umask in p11_child
https://fedorahosted.org/sssd/ticket/2757
sss_override does not work correctly when 'use_fully_qualified_names
= True'
https://fedorahosted.org/sssd/ticket/2758
sss_override contains an extra parameter --debug but is not listed in
the man page or in the arguments help
https://fedorahosted.org/sssd/ticket/2762
[RFE] sssd: better feedback form constraint password change
https://fedorahosted.org/sssd/ticket/2768
Test 'test_id_cleanup_exp_group' failed
https://fedorahosted.org/sssd/ticket/2772
sssd cannot resolve user names containing backslash with ldap provider
https://fedorahosted.org/sssd/ticket/2773
Make p11_child timeout configurable
https://fedorahosted.org/sssd/ticket/2777
Fix memory leak in GPO
https://fedorahosted.org/sssd/ticket/2782
sss_override : The local override user is not found
https://fedorahosted.org/sssd/ticket/2783
REGRESSION: Dyndns soes not update reverse DNS records
https://fedorahosted.org/sssd/ticket/2790
sss_override --name doesn't work with RFC2307 and ghost users
https://fedorahosted.org/sssd/ticket/2799
unit tests do not link correctly on Debian
https://fedorahosted.org/sssd/ticket/2803
Memory leak / possible DoS with krb auth.
https://fedorahosted.org/sssd/ticket/2805
AD: Conditional jump or move depends on uninitialised value
== Detailed Changelog ==
Jakub Hrozek (52):
* Updating the version for 1.13.1 development
* tests: Move N_ELEMENTS definition to tests/common.h
* SYSDB: Add functions to look up multiple entries including name and
custom filter
* DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUP
* cache_req: Extend cache_req with wildcard lookups
* UTIL: Add sss_filter_sanitize_ex
* LDAP: Fetch users and groups using wildcards
* LDAP: Add sdap_get_and_parse_generic_send
* LDAP: Use sdap_get_and_parse_generic_/_recv
* LDAP: Add sdap_lookup_type enum
* LDAP: Add the wildcard_limit option
* IFP: Add wildcard requests
* Use NSCD path in execl()
* KRB5: Use the right domain for case-sensitive flag
* IPA: Better debugging
* UTIL: Lower debug level in perform_checks()
* IPA: Handle sssd-owned keytabs when running as root
* IPA: Remove MPG groups if getgrgid was called before getpw()
* LDAP: use ldb_binary_encode when printing attribute values
* IPA: Change the default of ldap_user_certificate to
userCertificate;binary
* UTIL: Provide a common interface to safely create temporary files
* IPA: Always re-fetch the keytab from the IPA server
* DYNDNS: Add a new option dyndns_server
* p11child: set restrictive umask and clear environment
* KRB5: Use sss_unique file in krb5_child
* KRB5: Use sss_unique_file when creating kdcinfo files
* LDAP: Use sss_unique_filename in ldap_child
* SSH: Use sss_unique_file_ex to create the known hosts file
* SYSDB: Index the objectSIDString attribute
* sbus: Initialize errno if constructing message fails and add debug
messages
* sbus: Add a special error code for messages sent by the bus itself
* GPO: Use sss_unique_file and close fd on failure
* SDAP: Remove unused function
* KRB5: Don't error out reading a minimal krb5.conf
* UTIL: Convert domain->disabled into tri-state with domain states
* DP: Provide a way to mark subdomain as disabled and auto-enable it
later with offline_timeout
* SDAP: Do not set is_offline if ignore_mark_offline is set
* AD: Only ignore errors from SDAP lookups if there's another connection
to fallback to
* KRB5: Offline operation with disabled domain
* AD: Do not mark the whole back end as offline if subdomain lookup fails
* AD: Set ignore_mark_offline=false when resolving AD root domain
* IPA: Do not allow the AD lookup code to set backend as offline in
server mode
* BUILD: link dp tests with LDB directly to fix builds on Debian
* LDAP: imposing sizelimit=1 for single-entry searches breaks
overlapping domains
* tests: Move named_domain from test_utils to common test code
* LDAP: Move sdap_create_search_base from ldap to sdap code
* LDAP: Filter out multiple entries when searching overlapping domains
* IPA: Change ipa_server_trust_add_send request to be reusable from ID code
* FO: Add an API to reset all servers in a single service
* FO: Also reset the server common data in addition to SRV
* IPA: Retry fetching keytab if IPA user lookup fails
* Updating translations for the 1.13.1 release
Lukas Slebodnik (49):
* KRB5: Return right data provider error code
* Update few debug messages
* intg: Invalidate memory cache before removing files
* SPEC: Update spec file for krb5_local_auth_plugin
* SSSDConfig: Return correct types in python3
* intg: Modernize 'except' clauses
* mmap_cache: Rename variables
* mmap_cache: "Override" functions for initgr mmap cache
* mmap: Invalidate initgroups memory cache after any change
* sss_client: Update integrity check of records in mmap cache
* intg_test: Add module for simulation of utility id
* intg_test: Add integration test for memory cache
* NSS: Initgr memory cache should work with fq names
* test_memory_cache: Add test for initgroups mc with fq names
* SPEC: Workaround for build with rpm 4.13
* KRB5: Do not try to remove missing ccache
* test_memory_cache: Test mmap cache after initgroups
* test_memory_cache: Test invalidation with sss_cache
* krb5_utils-tests: Remove unused variables
* sss_cache: Wait a while for invalidation of mc by nss responder
* test_memory_cache: Fix few python issues
* NSS: Fix use after free
* NSS: Don't ignore backslash in usernames with ldap provider
* intg_tests: Add regression test for 2163
* BUILD: Build libdlopen_test_providers.la as a dynamic library
* BUILD: Speed up build of some tests
* BUILD: Simplify build of simple_access_tests
* CI: Set env variable for all tabs in screen
* dyndns-tests: Simulate job in wrapped execv
* AUTOMAKE: Disable portability warnings
* tests: Use unique name for TEST_PATH
* tests: Move test_dom_suite_setup to different module
* test_ipa_subdomains_server: Use unique dorectory for keytabs
* test_copy_keytab: Create keytabs in unique directory
* test_ad_common: Use unique directory for keytabs
* Revert "LDAP: end on ENOMEM"
* Partially revert "LDAP: sanitize group name when used in filter"
* LDAP: Sanitize group dn before using in filter
* test_ldap_id_cleanup: Fix coding style issues
* DYNDNS: Return right error code in case of failure
* BUILD: Simplify build of test_data_provider_be
* BUILD: Remove unused variable CHECK_OBJ
* BUILD: Do not build libsss_ad_common.la as library
* BUILD: Remove unused variable SSSD_UTIL_OBJ
* CONFIGURE: Remove bashism
* IFP: Suppress warning from static analyzer
* BUILD: Link test_data_provider_be with -ldl
* sysdb-tests: Use valid base64 encoded certificate for search
* test_pam_srv: Run cert test only with NSS
Michal Židek (13):
* DEBUG: Add new debug category for fail over.
* pam: Incerease p11 child timeout
* sdap_async: Use specific errmsg when available
* TESTS: ldap_id_cleanup timeouts
* sssd: incorrect checks on length values during packet decoding
* CONFDB: Assume config file version 2 if missing
* Makefile.am: Add missing AM_CFLAGS
* SYSDB: Add function to expire entry
* cleanup task: Expire all memberof targets when removing user
* CI: Add regression test for #2676
* intg: Fix some PEP 8 violations
* PAM: Make p11_child timeout configurable
* tests: Set p11_child_timeout to 30 in tests
Nikolai Kondrashov (1):
* TESTS: Add trailing whitespace test
Pavel Březina (18):
* VIEWS TEST: add null-check
* SYSDB: prepare for LOCAL view
* TOOLS: add common command framework
* TOOLS: add sss_override for local overrides
* AD: Use ad_site also when site search fails
* IFP: use default limit if provided is 0
* sudo: use "higher value wins" when ordering rules
* sss_override: print input name if unable to parse it
* sss_override: support domains that require fqname
* TOOLS: add sss_colondb API
* sss_override: decompose code better
* sss_override: support import and export
* sss_override: document --debug options
* sss_override: support fqn in override name
* views: do not require overrideDN in grous when LOCAL view is set
* views: fix two typos in debug messages
* views: allow ghost members for LOCAL view
* sss_override: remove -d from manpage
Pavel Reichl (23):
* DYNDNS: sss_iface_addr_list_get return ENOENT
* DYNDNS: support mult. interfaces for dyndns_iface opt
* DYNDNS: special value '*' for dyndns_iface option
* TESTS: dyndns tests support AAAA addresses
* DYNDNS: support for dualstack
* TESTS: fix compiler warnings
* SDAP: rename SDAP_CACHE_PURGE_TIMEOUT
* IPA: Improve messages about failures
* DYNDNS: Don't use server cmd in nsupdate by default
* DYNDNS: remove redundant talloc_steal()
* DYNDNS: remove zone command
* DYNDNS: rename field of sdap_dyndns_update_state
* DYNDNS: remove code duplication
* TESTS: UT for sss_iface_addr_list_as_str_list()
* LDAP: sanitize group name when used in filter
* LDAP: minor improvements in ldap id cleanup
* TESTS: fix fail in test_id_cleanup_exp_group
* LDAP: end on ENOMEM
* AD: send less logs to syslog
* Remove trailing whitespace
* GPO: fix memory leak
* DDNS: execute nsupdate for single update of PTR rec
* AD: inicialize root_domain_attrs field
Petr Cech (6):
* BUILD: Repair dependecies on deprecated libraries
* TESTS: Removing part of responder_cache_req-tests
* UTIL: Function 2string for enum sss_cli_command
* UTIL: Fixing Makefile.am for util/sss_cli_cmd.h
* DATA_PROVIDER: BE_REQ as string in log message
* IPA PROVIDER: Resolve nested netgroup membership
Robin McCorkell (1):
* man: List alternative schema defaults for LDAP AutoFS parameters
Stephen Gallagher (1):
* AD: Handle cases where no GPOs apply
Sumit Bose (17):
* test common: sss_dp_get_account_recv() fix assignment
* nss_check_name_of_well_known_sid() improve name splitting
* negcache: allow domain name for UID and GID
* nss: use negative cache for sid-by-id requests
* krb5: do not send SSS_OTP if two factors were used
* utils: add NSS version of cert utils
* Add NSS version of p11_child
* pack_message_v3: allow empty name
* authok: add support for Smart Card related authtokens
* PAM: add certificate support to PAM (pre-)auth requests
* pam_sss: add sc support
* ssh: generate public keys from certificate
* krb5 utils: add sss_krb5_realm_has_proxy()
* krb5: do not create kdcinfo file if proxy configuration exists
* krb5: assume online state if KDC proxy is configured
* GPO: use SDAP_SASL_AUTHID as samAccountName
* utils: make sss_krb5_get_primary() private
Thomas Oulevey (1):
* Fix memory leak in sssdpac_verify()
Tyler Gates (1):
* CONTRIB: Gentoo daemon startup options as declared in conf.d/sssd
Yuri Chornoivan (1):
* Fix minor typos
7 years, 9 months
12.5 problems
by Longina Przybyszewska
Hi,
We have a problem after upgrade from 11.7 to 12.5 version
Identity lookups periodically change from short name to fully qualified name for users from trust domains.
In turn, users get lockout of files, or can not login because nfsidmap setup can't figure out id mapping.
This setup worked in 11.7 version
(+several domains identically configured)
[domain/A.C.DOM.ORG]
debug_level = 9
cache_credentials = true
id_provider = ad
dyndns_update = false
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = a.c.dom.org
krb5_realm = A.C.DOM.ORG
use_fully_qualified_names = false
subdomain_provider = none
ldap_id_mapping = false
krb5_lifetime = 10h
krb5_renewable_lifetime = 7d
krb5_renew_interval = 1h
ad_gpo_access_control = disabled
ad_gpo_default_right = permit
With my new setup - Ids from trust domains can't resolve as short names.
Only ids from native for client machine domain do.
Cross realm membership resolves fine.
[nss]
debug_level = 7
filter_groups = root
filter_users = root,lightdm,ldap,named,avahi,haldeamon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd]
debug_level = 9
domains = A.C.DOM.ORG,N.C.DOM.ORG,C.DOM.ORG
config_file_version = 2
services = nss, pam,ssh
[pam]
pam_verbosity = 3
debug_level = 9
[domain/A.C.DOM.ORG]
debug_level = 9
id_provider = ad
dyndns_update = true
ad_hostname = a431.a.c.dom.org
ignore_group_members = true
use_fully_qualified_names = false
ldap_id_mapping = false
ldap_user_name = sAMAccountName
#ldap_user_principal = sAMAccountName
ad_site = DOM
Best,
Longina
7 years, 12 months
libsss_ad_common.so removed in 1.13.1
by Michael Ströder
HI!
I'm currently trying to build an upgrade RPM for sssd 1.13.1. The .spec file
for 1.13.0 no longer works because libsss_ad_common.so is missing.
Was it removed in libsss_ad_common.so?
Ciao, Michael.
8 years
Problem authenticating user
by Ondrej Valousek
Hi List,
I am running into problem with pam_sss. It is unable to authenticate user against AD via Kerberos.
Log files:
Sssd_default.log
(Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x0100): No ccache file for user [ondrejv] found.
(Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x4000): Ccache_file is [not set] and is not active and TGT is not valid.
Pam.log:
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ondrejv] added to PAM initgroup cache
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: default
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): user: ondrejv
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: login03
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 27660
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x22b2a10
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x417d60:3:ondrejv@default]
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x22b2a10
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x22b1f10
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][default]
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4].
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 68
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x22bcec0][18]
(Thu Sep 24 14:14:21 2015) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [ondrejv] removed from PAM initgroup cache
/var/log/authlog:
ep 24 14:14:16 nitrogen sshd[27660]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=login03 user=ondrejv
Sep 24 14:14:16 nitrogen sshd[27660]: pam_sss(sshd:auth): received for user ondrejv: 4 (System error)
I am bit lost here - neither friend Google helps. Does anyone know?
I can run 'kinit <username>' happily, so Kerberos library seems to be configured fine. System is Ubuntu 14.04.
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years
Make autofs work with Active Drectory
by Fabien CARRE
Hello,
I have been struggling for some days now, trying to use sssd with a Active
Directory (Windows 2008 R2).
I used *realm* command as explained here
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
I followed this post https://ovalousek.wordpress.com/2015/08/03/autofs
<https://ovalousek.wordpress.com/2015/08/03/autofs> but I am unable to make
it work.
So far, I can log in, and apply the sudoers rules but the automount won't
work.
OS : Fedora 20
sssd-common-pac-1.11.7-5.fc20.x86_64
sssd-proxy-1.11.7-5.fc20.x86_64
python-sssdconfig-1.11.7-5.fc20.noarch
sssd-tools-1.11.7-5.fc20.x86_64
sssd-common-1.11.7-5.fc20.x86_64
sssd-krb5-1.11.7-5.fc20.x86_64
sssd-1.11.7-5.fc20.x86_64
sssd-ldap-1.11.7-5.fc20.x86_64
sssd-ipa-1.11.7-5.fc20.x86_64
sssd-ad-1.11.7-5.fc20.x86_64
sssd-krb5-common-1.11.7-5.fc20.x86_64
sssd-client-1.11.7-5.fc20.x86_64
Any ideas ? Thank you.
*autofs OU:*
dn: OU=autofs,DC=ad,DC=mikdom,DC=org
objectClass: top
objectClass: organizationalUnit
dn: CN=auto.master,OU=autofs,DC=ad,DC=mikdom,DC=org
objectClass: top
objectClass: nisMap
cn: auto.master
nisMapName: auto.master
dn: CN=/homes,CN=auto.master,OU=autofs,DC=ad,DC=mikdom,DC=org
objectClass: top
objectClass: nisObject
cn: /homes
nisMapName: auto.master
nisMapEntry: ldap:cn=auto.home,ou=autofs,dc=ad,mikdom,dc=org
dn: CN=auto.home,OU=autofs,DC=ad,DC=mikdom,DC=org
objectClass: top
objectClass: nisMap
cn: auto.home
nisMapName: auto.home
dn: CN=/,CN=auto.home,OU=autofs,DC=ad,DC=mikdom,DC=org
objectClass: top
objectClass: nisObject
cn: /
nisMapName: auto.home
nisMapEntry: -fstype=nfs homeserv:/vol/homes/&
*sssd config file :*
[sssd]
domains = ad.mikdom.org
config_file_version = 2
services = nss, pam, autofs, sudo
[pam]
[nss]
[domain/ad.mikdom.org]
ad_server = myactived.ad.mikdom.org
ad_domain = ad.mikdom.org
access_provider = ad
auth_provider = ad
access_provider = ad
krb5_realm = AD.MIKDOM.ORG
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
fallback_homedir = /home/%u
use_fully_qualified_names = False
#sudo
sudo_provider = ad
ldap_sudo_search_base = ou=SUDOers,dc=ad,dc=mikdom,dc=org
ldap_sudo_full_refresh_interval = 86400
ldap_sudo_smart_refresh_interval = 3600
#autofs
ldap_schema = rfc2307
autofs_provider = ldap
ldap_autofs_entry_key = cn
ldap_autofs_entry_object_class = nisObject
ldap_autofs_entry_value = nisMapEntry
ldap_autofs_map_name = nisMapName
ldap_autofs_map_object_class = nisMap
ldap_autofs_search_base = ou=autofs,dc=ad,dc=mikdom,dc=org
[autofs]
*sssd debug :*
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]] [fo_set_port_status]
(0x0100): Marking port 389 of server 'myactived.ad.mikdom.org' as 'working'
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]]
[set_server_common_status] (0x0100): Marking server 'myactived.ad.mikdom.org'
as 'working'
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]]
[sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap:
Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In orde
r to perform this operation a successful bind must be completed on the
connection., data 0, v1db1
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]]
[sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]:
Input/output error
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]]
[sdap_autofs_setautomntent_done] (0x0040): sdap_get_automntmap_recv failed
[5]: Input/output error
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]] [sdap_id_op_done]
(0x0200): communication error on cached connection, moving to next server
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]]
[be_resolve_server_process] (0x0200): Found address for server
myactived.ad.mikdom.org: [192.168.200.245] TTL 3600
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]]
[sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility
level to [4]
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]] [sdap_cli_auth_step]
(0x0100): expire timeout is 900
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]] [fo_set_port_status]
(0x0100): Marking port 389 of server 'myactived.ad.mikdom.org' as 'working'
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]]
[set_server_common_status] (0x0100): Marking server 'myactived.ad.mikdom.org'
as 'working'
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]]
[sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap:
Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In orde
r to perform this operation a successful bind must be completed on the
connection., data 0, v1db1
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]]
[sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]:
Input/output error
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]]
[sdap_autofs_setautomntent_done] (0x0040): sdap_get_automntmap_recv failed
[5]: Input/output error
(Thu Sep 24 16:17:42 2015) [sssd[be[ad.mikdom.org]]] [sdap_id_op_done]
(0x0200): communication error on cached connection, moving to next server
(Thu Sep 24 16:17:42 2015) [sssd[autofs]] [lookup_automntmap_cache_updated]
(0x0020): Unable to get information from Data Provider
Error: 3, 5, Input/output error
Will try to return what we have in cache
8 years
SSSD + AD: very slow logins
by l@avc.su
Hello.
I've set up SSSD v.1.12.4 with 'ad' provider, enrolled PC into domain
with adcli, and everything seems to be working. I've got bothered with
two problems which I think are linked.
First one, is slow logins. It takes up to 1-2 minutes sometimes to get
access to machine, and commands like 'id user' and 'sudo' works slowly.
From 30 seconds to two minutes approx. After record goes to cache,
however, if works almost instantly.
Second is that SSSD does not resolve nested groups by default and some
users that are should be allowed, are not able to login. Possible
workaround is use of explict noting of
'memberOf:1.2.840.113556.1.4.1941:' rule, but it looks like a workaround
to me. Maybe I'm wrong, though.
But when I'm enabling 'ldap_groups_use_matching_rule_in_chain' and
'ldap_initgroups_use_matching_rule_in_chain', login process and commands
like 'id user' and 'sudo' takes up to 2-5 minutes to finish.
It shouldn't be the network issue, all servers are on the same virtual
host.
We've got rather big environment: one domain, several locations, many
services and groups. Therefore, I can't enable enumeration on the
machine.
As far as I understand, slow logins occuring because ad_filter needs to
know if the user in the valid group or not.
So, the main question is slow logins. Here's my sssd.conf:
[domain/domain.local]
debug_level = 2
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
case_sensitive = false
cache_credentials = true
krb5_auth_timeout = 30
dns_resolver_timeout = 30
ad_domain = domain.local
ad_hostname = ServerTwo.domain.local
ad_server = loc01dc01.domain.local, _srv_, loc02dc02.domain.local
ad_backup_server = 192.168.0.1
ad_gpo_access_control = disabled
ad_access_filter = DOM:domain.local:(|(memberOf=CN=group1,
OU=something, DC=domain,
DC=local)(memberOf:1.2.840.113556.1.4.1941:=CN=grour2, OU=something,
DC=domain, DC=local))
ldap_search_timeout = 15
ldap_opt_timeout = 15
ldap_sasl_minssf = 56
[sssd]
debug_level = 2
domains = domain.local
services = nss,pam,ssh,pac
config_file_version = 2
[nss]
debug_level = 2
filter_users = root
filter_groups = root
[pam]
debug_level = 2
pam_id_timeout = 15
[ssh]
debug_level=2
[pac]
And here's what happens when I'm trying to log in with Kerberos (tried
also password and rsa auth):
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [UserOne]
from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[userone(a)domain.local]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[userone(a)domain.local]
[sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success
(waiting 1 sec.)
[sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD_GC'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri
'ldap://loc01dc01.domain.local'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC
uri 'ldap://loc01dc01.domain.local:3268'
[sssd[be[domain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100):
Setting AD compatibility level to [6]
[sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri
'ldap://loc01dc01.domain.local'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC
uri 'ldap://loc01dc01.domain.local'
[[sssd[ldap_child[18547]]]] [ldap_child_get_tgt_sync] (0x0100):
Principal name is: [LOC01DC01$(a)DOMAIN.LOCAL]
[[sssd[ldap_child[18547]]]] [ldap_child_get_tgt_sync] (0x0100): Using
keytab [MEMORY:/etc/krb5.keytab]
[sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [18547]
finished successfully.
[sssd[be[domain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout
is 900
[sssd[be[domain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind
mech: gssapi, user: LOC01DC01$
(waiting 1 sec.)
[sssd[be[domain.local]]] [fo_set_port_status] (0x0100): Marking port 0
of server 'loc01dc01.domain.local' as 'working'
[sssd[be[domain.local]]] [set_server_common_status] (0x0100): Marking
server 'loc01dc01.domain.local' as 'working'
[sssd[be[domain.local]]] [sdap_fill_memberships] (0x0080): Member
[CN=group1,CN=something,DC=domain,DC=local] was not found in cache. Is
it out of scope?
[sssd[be[domain.local]]] [sdap_fill_memberships] (0x0080): Member
[CN=group2,OU=something,OU=something,OU=something,DC=domain,DC=local]
was not found in cache. Is it out of scope?
[sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success
[sssd[be[domain.local]]] [sdap_fill_memberships] (0x0080): Member
[CN=group3,OU=something,OU=something,OU=something,DC=domain,DC=local]
was not found in cache. Is it out of scope?
... (many many many more 'success' with few errors 'out of scope')
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [UserOne]
from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[userone(a)domain.local]
(repeated twice)
[sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt
[sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
[sssd[pam]] [pam_print_data] (0x0100): domain: not set
[sssd[pam]] [pam_print_data] (0x0100): user: UserOne
[sssd[pam]] [pam_print_data] (0x0100): service: sshd
[sssd[pam]] [pam_print_data] (0x0100): tty: ssh
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: ServerOne.domain.local
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 18545
[sssd[pam]] [pam_print_data] (0x0100): logon name: UserOne
[sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success
[sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for
[userone(a)domain.local]
[sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the
following data:
[sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
[sssd[pam]] [pam_print_data] (0x0100): domain: domain.local
[sssd[pam]] [pam_print_data] (0x0100): user: UserOne
[sssd[pam]] [pam_print_data] (0x0100): service: sshd
[sssd[pam]] [pam_print_data] (0x0100): tty: ssh
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: ServerOne.domain.local
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 18545
[sssd[pam]] [pam_print_data] (0x0100): logon name: UserOne
[sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
[sssd[be[domain.local]]] [be_pam_handler] (0x0100): Got request with the
following data
[sssd[be[domain.local]]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
[sssd[be[domain.local]]] [pam_print_data] (0x0100): domain: domain.local
[sssd[be[domain.local]]] [pam_print_data] (0x0100): user: UserOne
[sssd[be[domain.local]]] [pam_print_data] (0x0100): service: sshd
[sssd[be[domain.local]]] [pam_print_data] (0x0100): tty: ssh
[sssd[be[domain.local]]] [pam_print_data] (0x0100): ruser:
[sssd[be[domain.local]]] [pam_print_data] (0x0100): rhost:
ServerOne.domain.local
[sssd[be[domain.local]]] [pam_print_data] (0x0100): authtok type: 0
[sssd[be[domain.local]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[domain.local]]] [pam_print_data] (0x0100): priv: 1
[sssd[be[domain.local]]] [pam_print_data] (0x0100): cli_pid: 18545
[sssd[be[domain.local]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Backend
returned: (0, 0, <NULL>) [Success]
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sending
result [0][domain.local]
[sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][domain.local]
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sent result
[0][domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [userone]
from [<ALL>]
[sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for
[userone(a)domain.local]
(repeated 6 times)
[sssd[pam]] [pam_cmd_open_session] (0x0100): entering
pam_cmd_open_session
[sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION
[sssd[pam]] [pam_print_data] (0x0100): domain: not set
[sssd[pam]] [pam_print_data] (0x0100): user: UserOne
[sssd[pam]] [pam_print_data] (0x0100): service: sshd
[sssd[pam]] [pam_print_data] (0x0100): tty: ssh
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: ServerOne.domain.local
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 18545
[sssd[pam]] [pam_print_data] (0x0100): logon name: UserOne
[sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for
[userone(a)domain.local]
[sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the
following data:
[sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION
[sssd[pam]] [pam_print_data] (0x0100): domain: domain.local
[sssd[pam]] [pam_print_data] (0x0100): user: UserOne
[sssd[pam]] [pam_print_data] (0x0100): service: sshd
[sssd[pam]] [pam_print_data] (0x0100): tty: ssh
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: ServerOne.domain.local
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 18545
[sssd[pam]] [pam_print_data] (0x0100): logon name: UserOne
[sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
[sssd[be[domain.local]]] [be_pam_handler] (0x0100): Got request with the
following data
[sssd[be[domain.local]]] [pam_print_data] (0x0100): command:
PAM_OPEN_SESSION
[sssd[be[domain.local]]] [pam_print_data] (0x0100): domain: domain.local
[sssd[be[domain.local]]] [pam_print_data] (0x0100): user: UserOne
[sssd[be[domain.local]]] [pam_print_data] (0x0100): service: sshd
[sssd[be[domain.local]]] [pam_print_data] (0x0100): tty: ssh
[sssd[be[domain.local]]] [pam_print_data] (0x0100): ruser:
[sssd[be[domain.local]]] [pam_print_data] (0x0100): rhost:
ServerOne.domain.local
[sssd[be[domain.local]]] [pam_print_data] (0x0100): authtok type: 0
[sssd[be[domain.local]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[domain.local]]] [pam_print_data] (0x0100): priv: 1
[sssd[be[domain.local]]] [pam_print_data] (0x0100): cli_pid: 18545
[sssd[be[domain.local]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[domain.local]]] [be_pam_handler] (0x0100): Sending result
[0][domain.local]
[sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [userone]
from [<ALL>]
[sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for
[userone(a)domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [userone]
from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[userone(a)domain.local]
[sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for
[704943713(a)domain.local]
[sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found
for [704943713]
It takes from about 30 secs to 2 minutes lo login.
Here what I see in logs when setting options
'ldap_groups_use_matching_rule_in_chain' and
'ldap_initgroups_use_matching_rule_in_chain' and running 'id user':
[sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success
[sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for
[704754393(a)domain.local]
[sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found
for [704754393]
[sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for
[704754393(a)domain.local]
[sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found
for [704754393]
... (many of these messages, about 1-3/sec)
And then I see these messages:
[sssd[be[domain.local]]] [sysdb_store_group] (0x0080): A group with the
same GID [704543591] was removed from the cache
[sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for
[704543591(a)domain.local]
[sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found
for [704543591]
[sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for
[704432243(a)domain.local]
[sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found
for [704432243]
[sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success
[sssd[be[domain.local]]] [sysdb_store_group] (0x0080): A group with the
same GID [704432243] was removed from the cache
... (not so many, but still a lot.)
In the output of 'id user' I see these strange groups:
704195244(groupname {fcc357ea-83ef-4645-17e9-1967bfe8a77f})
Is there anything I can do to speed up my login? Is there anything I've
messed up in my sssd.conf?
Any help appreciated. Thank you in advance.
8 years
Shell set to /bin/sh
by Domenico Viggiani
Hi,
we are using SSSD on Red Hat 7 to authenticate users on an
Active Directory domain.
Any idea why almost all users get /bin/sh as
shell instead of /bin/bash?
This is my sssd.conf:
[domain/MYDOMAIN.COM]
ad_domain = MYDOMAIN.COM
krb5_realm =
MYDOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#use_fully_qualified_names = True
fallback_homedir = /home/AD/%u
access_provider = ad
override_homedir = /home/AD/%u
I was not able to find the culprit
:-) Peraphs, "Homedir' field in AD? Can I ovveride it?
Thanks
--
Connetti gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo.
E chiami gratis anche i numeri fissi e mobili nel mondo!
Scarica subito l’app Vai su https://www.indoona.com/
8 years
