Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
4 years
'no primary group ID provided' when trying to use ldap mode against AD
by Daniel Hermans
Hi,
i'd like to use sssd in ldap mode against Active Directory so I have defined:
id_provider = ldap
auth_provider = ldap
Yes krb5 would be better but i only have a BIND account and cannot add computer objects.
This 'should' be possible - it works with nslcd. As I don't have Posix attributes i'm using:
ldap_id_mapping = true
fallback_homedir = /home/%d/%u
default_shell = /bin/bash
sssd can bind with LDAPS and can seem to get user info from the domain:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Some User,OU=Admin Accounts,DC=dev,DC=somedomain,DC=com].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_result] (0x2000): Trace: sh[0x7f5d15fbc030], connected[1], ops[0x7f5d1639d140], ldap[0x7f5d15fb5cd0]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_op_destructor] (0x2000): Operation 3 finished
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users
The UID mapping seems to succeed:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Save user
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x4000): Failed to retrieve UUID [2][No such file or directory].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_primary_name] (0x0400): Processing object someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Processing user someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x1000): Mapping user [someuser] objectSID [S-1-5-21-3970895924-989261097-3267629119-1443] to unix ID
But it gets no further with this message:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_idmap_primary_gid] (0x0080): no primary group ID provided
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Cannot get the GID for [someuser] in domain [extdev].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Failed to save user [someuser]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
Have tried against two different domains with identical result ( one a cleanly installed 2012R2 domain ).
Any ideas what I'm doing wrong? Is this possible? Various (old) posts suggests it is.
This was first (incorrectly) posted to sssd-devel, Jakub Hrozek updated and told me to define ldap_idmap_default_domain_sid so sssd no longer reports this:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
Thanks in advance!!
6 years, 7 months
sssd-13.4 can't login
by Longina Przybyszewska
Hi,
Can you help me with a problem I struggle quite a time, that appeared after upgrade to sssd-13.4 (Ubuntu Xenial):
User can not login;
Home directory (nfs) secured with Kerberos, is mounted, with proper idmapping, but user is refused to login to the desktop (lightdm).
Ssh login is possible, but permission denied to access the home directory.
This is setup with:
..
id_provider=ad
use_fully_qualified_names = true
ldap_id_mapping = false
..
In the krb5_child.log I can see suspicious sequence about "krb5_cc_cache_match failed";
Output from the log:
--
Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.933479: Sending request (8186 bytes) to A
DM.C.DOMAIN (tcp only)
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.934588: Resolving hostname host0a.adm.
c.domain.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.936998: Initiating TCP connection to stre
am 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.938147: Sending TCP request to stream 10.
144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.946674: Received answer (8380 bytes) from
stream 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.946720: Terminating TCP connection to str
eam 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948199: Response was not from master KDC
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948264: Decoding FAST response
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948342: FAST reply key: rc4-hmac/12E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948366: TGS reply is for user(a)NAT.C.SD
U.DK -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN with session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948401: TGS request result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948407: Received creds for desired servic
e host/lnx-adm557.a.c.domain(a)A.C.DOMAIN
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948416: Storing user(a)N.C.DOMAIN -> h
ost/lnx-adm557.a.c.domain(a)A.C.DOMAIN in MEMORY:gNruZJ9
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948440: Creating authenticator for user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN, seqnum 0, subkey (null), session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948500: Retrieving host/lnx-adm557.a.c.domain(a)A.C.DOMAIN from MEMORY:/etc/krb5.keytab (vno 6, enctype aes256-cts) with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948585: Decrypted AP-REQ with specified server principal host/lnx-adm557.a.c.domain(a)A.C.DOMAIN: aes256-cts/DDBF
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948594: AP-REQ ticket: user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN, session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948813: Negotiated enctype based on authenticator: aes256-cts
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948828: Initializing MEMORY:rd_req2 with default princ user(a)N.C.DOMAIN
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948837: Storing user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN in MEMORY:rd_req2
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948849: Destroying ccache MEMORY:gNruZJ9
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [validate_tgt] (0x0400): TGT verified using key for [host/lnx-adm557.a.c.domain(a)A.C.DOMAIN].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948876: Retrieving user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN from MEMORY:rd_req2 with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948967: Retrieving LNX-ADM557$(a)A.C.DOMAIN from MEMORY:/etc/krb5.keytab (vno 6, enctype aes256-cts) with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [user\@N.C.DOMAIN(a)A.C.DOMAIN] might not be correct.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.949031: Destroying ccache MEMORY:rd_req2
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_10002_XXXXXX]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal user(a)N.C.DOMAIN in cache collection]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [create_ccache] (0x4000): Initializing ccache of type [FILE]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [create_ccache] (0x4000): returning: 0
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [switch_creds] (0x0200): Switch user to [10002][30000000].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [switch_creds] (0x0200): Already user [10002].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [k5c_send_data] (0x0200): Received error code 0
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [pack_response_packet] (0x2000): response packet size: [138]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [k5c_send_data] (0x4000): Response sent.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [main] (0x0400): krb5_child completed successfully
--
ls -l /tmp/krb5cc_10002_gIeneD
-rw------- 1 user(a)n.c.domain lnx-primary(a)a.c.domain 16482 Oct 25 16:14 /tmp/krb5cc_10002_gIeneD
klist -c /tmp/krb5cc_10002_gIeneD
Ticket cache: FILE:/tmp/krb5cc_10002_gIeneD
Default principal: user(a)N.C.DOMAIN
Valid starting Expires Service principal
10/25/2016 16:14:35 10/26/2016 02:14:35 krbtgt/N.C.DOMAIN(a)N.C.DOMAIN
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 krbtgt/C.SDU.DK(a)N.C.DOMAIN
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 nfs/adm-lnx-nfs0a.a.c.domain@
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 nfs/adm-lnx-nfs0a.a.c.domain(a)A.C.DOMAIN
renew until 10/26/2016 02:14:35
Best,
Longina
7 years
sssd monitor_quit_signal - causes? No matching domain found for [root], fail!
by Richard Collins
Running Red Hat Enterprise Linux Server release 6.5 (Santiago) - 2.6.32-431.el6.x86_64
SSSD version: sssd-1.13.3-22.el6_8.4.x86_64
I'm seeing (seemingly random?) shutdown/termination of sssd across multiple nodes, all with the same configuration. To my knowledge there is no process going around killing things, we even have a scheduled job to check sssd status and restart every 5 minutes if unavailable:
/var/log/sssd/sssd.log:284469:(Mon Sep 26 12:21:29 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command
/var/log/sssd/sssd.log:318707:(Mon Sep 26 16:19:19 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command
/var/log/sssd/sssd.log:321889:(Mon Sep 26 16:43:12 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command
/var/log/sssd/sssd.log:474327:(Tue Sep 27 10:29:39 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command
/var/log/sssd/sssd.log:475205:(Tue Sep 27 10:34:36 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command
Right before each shutdown, there are lots of the following nss_cmd_getbynam and sss_ncache_check_str entries for 'root' in sssd_nss.log:
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38][SSS_NSS_INITGR] with input [root].
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [<ALL>]
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/MYDOMAIN/root]
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): User [root] does not exist in [MYDOMAIN]! (negative cache)
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0080): No matching domain found for [root], fail!
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xf7e120][24]
(Mon Sep 26 16:43:12 2016) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down
(Mon Sep 26 16:43:12 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xf7e120][24]
(Mon Sep 26 16:43:12 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xf840e0][23]
(Mon Sep 26 16:43:12 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xf7b500][22]
Corresponding AD log for same period:
(Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x142aa90
(Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1440c50/0x143e080
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1440c50/0x143e030
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x143eb00
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_client_destructor] (0x0400): Removed SUDO client
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1444030/0x14420b0
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1444030/0x1442060
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x1443250
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_client_destructor] (0x0400): Removed PAM client
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x143d070/0x142c0d0
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x143d070/0x142aeb0
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x143c570
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_client_destructor] (0x0400): Removed NSS client
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_ptask_destructor] (0x0400): Terminating periodic task [SUDO Smart Refresh]
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_ptask_destructor] (0x0400): Terminating periodic task [SUDO Full Refresh]
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sdap_handle_release] (0x2000): Trace: sh[0x14f9ff0], connected[1], ops[(nil)], ldap[0x1449c10], destructor_lock[0], release_memory[0]
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x142f250/0x1417480
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_socket_symlink] (0x4000): The symlink points to [/var/lib/sss/pipes/private/sbus-dp_MYDOMAIN.11328]
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_socket_symlink] (0x4000): The path including our pid is [/var/lib/sss/pipes/private/sbus-dp_MYDOMAIN.11328]
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_socket_symlink] (0x4000): Removed the symlink
AD controllers are WIN2012R2
SSSD is configured with a single domain (MYDOMAIN)
######begin sssd.conf (redacted)#####
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = MYDOMAIN
debug_level = 9
[nss]
default_shell = /bin/bash
debug_level = 9
filter_users = root
filter_groups = root
[pam]
debug_level = 9
[sudo]
debug_level = 9
[domain/MYDOMAIN]
id_provider = ldap
access_provider = simple
cache_credentials = false
debug_level = 9
ldap_server = _srv_
ldap_search_base = #########
ldap_id_use_start_tls = true
ldap_tls_reqcert = allow
ldap_default_bind_dn = #########
ldap_default_authtok_type = password
ldap_default_authtok = #########
ldap_user_search_base = ou=BusinessUnits,dc=mydomain
ldap_user_object_class = user
ldap_id_mapping = true
ldap_schema = ad
ldap_group_search_base = #########
ldap_group_object_class = group
ldap_referrals = false
enumerate = false
override_homedir = /export/home/%u
ldap_group_nesting_level = 5
ldap_use_tokengroups = false
simple_allow_groups = sasi,sasadmin,sasmgt ldap_access_order = expire ldap_account_expire_policy = ad
######end sssd.conf#####
This document is strictly confidential and is intended for use by the addressee unless otherwise indicated. Allied Irish Banks AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Central Bank of Ireland. Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173. ~~~~~~~Please consider the environment before printing this Email~~~~~~~~ This email has been scanned by an external Email Security System. This Disclaimer has been generated by CMDis
7 years
Question about AD authentication and trusts
by Guy Knights
Hi,
Can anyone confirm for me if SSSD supports authentication of users
belonging to a trusted domain via an AD controller in the trusting domain?
ie. A user attempts to log in as fred(a)test1.example.com on a client machine
running SSSD, where SSSD has joined a domain test2.example.com and there is
a 2-way forest trust between both domains. Is this supported? I've been
trying to do so and so far it hasn't been working.
For the record, my setup is:
AD controller domain test1: Windows server 2012 R2
AD controller domain test2: Windows server 2012 R2
Ubuntu 14.04 client running SSSD 1.12.5
Thanks,
Guy
7 years
sssd.conf and /var/lib/sss/db/config.ldb
by Daniel Hermans
Hi,
not sure if a bug or not but a quick warning that hopefully may save someone some time!
We use puppet to install sssd based on a condition. we:
- yum install -y sssd
- authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --enablemkhomedir --enablecachecreds --update ( to setup PAM and nsswitch - not sure if ALL of these are necessary? )
- copy over our private config ( as you can't do all of the config with authconfig that i can see? )
This didn't work - intermittently sssd was using a 'stale' config. After much headbutting issue was twofold:
- sssd is started and activated by the authconfig command, this creates config.ldb and cache_default.ldb
- puppet writes the config file immediately and sssd restarted
- sssd compares modification time of /etc/sssd/sssd.conf with /var/lib/sss/db/config.ldb and, because the times are the same ( written in the same minute ), IT IGNORES the new config file
Solution:
- add a '--nostart' to the authconfig to stop the initial start, this will prevent creation of the cache. Copy over the config and then start/enable ( which will create the cache ).
Not sure if related but there is a TODO in the code around this area (src/confdb/confdb_setup.c)
ret = sss_ini_get_mtime(init_data, sizeof(timestr), timestr);
if (ret <= 0 || ret >= (int)sizeof(timestr)) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to convert time_t to string ??\n");
ret = errno ? errno : EFAULT;
}
/* FIXME: Determine if the conf file or any snippet has changed
* since we last updated the confdb or if some snippet was
* added or removed.
*/
Puppet then
7 years
Announcing SSSD 1.14.2
by Jakub Hrozek
=== SSSD 1.14.2 ===
The SSSD team is proud to announce the release of version 1.14.2 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Several more regressions caused by cache refactoring to use qualified names internally were fixed, including a regression that prevented the krb5_map_user option from working correctly.
* A regression when logging in with a smart card using the GDM login manager was fixed
* SSSD now removes the internal timestamp on startup cache when the persistent cache is removed. This enables admins to follow their existing workflow of just removing the persistent cache and start from a fresh slate
* Several fixes to the sssd-secrets responder are present in this release
* A bug in the autofs responder that prevented automounter maps from being returned when sssd_be was offline was fixed
* A similar bug in the NSS responder that prevented netgroups from being returned when sssd_be was offline was fixed
* Disabling the netlink integration can now be done with a new option disable_netlink. Previously, the netlink integration could be disabled with a sssd command line switch, which is being deprecated in this release.
* The internal watchdog no longer kills sssd processes in case time shifts during sssd runtime
* The fail over code is able to cope with concurrent SRV resolution requests better in this release
* The proxy provider gained a new option proxy_max_children that allows the administrator to control the maximum number of child helper processes that authenticate users with auth_provider=proxy
* The InfoPipe D-Bus responder exports the UUIDs of user and group objects through a uniqueID property
== Packaging Changes ==
* The private pipe directory permissions were changed from 0700 to 0750. The restrictive permissions we causing SELinux dac_override denials
* The Python packages for python2 were renamed from python-package to python2-package with backwards-compatible Provides and Obsoletes
* The sssd-common subpackage contains a new manual page sssd-secrets(5)
* The sssd-tools subpackage explicitly Requires /sbin/service on platforms that don't support systemd in order to be able to restart sssd from the sssctl tool
== Documentation Changes ==
* The kill_service option that was no longer useful after we moved from in-process pings to watchdog was removed
* The --disable-netlink sssd(8) command-line option was removed in favor of [sssd] section option disable_netlink
* The proxy_max_children option was added. Please see the highlights section for more details.
* The sssd-secrets responder gained a man page in this release.
* Two new options containers_nest_level and max_secrets options were added to the sssd-secrets responder. The former allows the administrator to configure the maximum nesting level of secrets containers, the latter allows the administrator to configure the maximum number of secrets that can be stored. Please note that both option apply to the local secrets provider only.
* The sssd-ldap man page didn't specify different default for user and group name LDAP attribute default for the AD provider. This documentation bug was fixed.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/2813
man page for sss_override command provides irrelevant information for --debug option
https://fedorahosted.org/sssd/ticket/2841
sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)
https://fedorahosted.org/sssd/ticket/3051
Move the diag_cmd option so that it's usable by the watchdog.
https://fedorahosted.org/sssd/ticket/3052
Remove the no longer used kill_service command
https://fedorahosted.org/sssd/ticket/3053
The sssd-secrets responder needs a manpage
https://fedorahosted.org/sssd/ticket/3054
Create integration tests for the sssd-secrets responder
https://fedorahosted.org/sssd/ticket/3056
The sssctl tool should restart the service with systemd's dbus API
https://fedorahosted.org/sssd/ticket/3107
Python SSSD Config API deletes an item during iteration
https://fedorahosted.org/sssd/ticket/3123
Netgroup resolution doesn't work offline
https://fedorahosted.org/sssd/ticket/3125
secrets responder throws an internal error when trying to delete a non-existent secret
https://fedorahosted.org/sssd/ticket/3127
SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side
https://fedorahosted.org/sssd/ticket/3128
throw away the timestamp cache if re-initializing the persistent cache
https://fedorahosted.org/sssd/ticket/3134
sssd is not able to authenticate with alias
https://fedorahosted.org/sssd/ticket/3137
secrets: creating a secret in a container doesn't work
https://fedorahosted.org/sssd/ticket/3140
autofs map resolution doesn't work offline
https://fedorahosted.org/sssd/ticket/3142
expose disabling the netlink support as a sssd.conf option
https://fedorahosted.org/sssd/ticket/3143
selinux avc denial for vsftp login as ipa user
https://fedorahosted.org/sssd/ticket/3145
Update sssd-sudo man page to reflect native sudo support
https://fedorahosted.org/sssd/ticket/3154
sssd exits if clock is adjusted backwards after boot
https://fedorahosted.org/sssd/ticket/3163
resolving IPA nested user group is broken in 1.14
https://fedorahosted.org/sssd/ticket/3165
login using gdm calls for gdm-smartcard when smartcard authentication is not enabled
https://fedorahosted.org/sssd/ticket/3167
SECRETS: Deleting a container that has children should fail
https://fedorahosted.org/sssd/ticket/3168
secrets: Add a configurable depth limit for containers
https://fedorahosted.org/sssd/ticket/3172
Access denied for user when access_provider = krb5 is set in sssd.conf
https://fedorahosted.org/sssd/ticket/3173
unable to create group in sssd cache
https://fedorahosted.org/sssd/ticket/3174
Clock skew makes SSSD return System Error
https://fedorahosted.org/sssd/ticket/3175
sss_groupshow does not work
https://fedorahosted.org/sssd/ticket/3178
unable to add local user in sssd to a group in sssd
https://fedorahosted.org/sssd/ticket/3179
sss_override fails to export
https://fedorahosted.org/sssd/ticket/3180
sss_cache -r option does not print error message if more than one argument is supplied
https://fedorahosted.org/sssd/ticket/3181
libwbclient-sssd: update interface to version 0.13
https://fedorahosted.org/sssd/ticket/3184
sss_groupshow <user> fails with error "No such group in local domain. Printing groups only allowed in local domain"
https://fedorahosted.org/sssd/ticket/3185
SSSD goes offline when the LDAP server returns sizelimit exceeded
https://fedorahosted.org/sssd/ticket/3188
krb5_map_user doesn't seem effective anymore
https://fedorahosted.org/sssd/ticket/3194
[RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases
https://fedorahosted.org/sssd/ticket/3205
Typo In SSSD-AD Man Page
https://fedorahosted.org/sssd/ticket/3207
SSSD logs error upon adding [secrets] section.
https://fedorahosted.org/sssd/ticket/3212
secrets: 500 internal server error when proxy is defined but not running
https://fedorahosted.org/sssd/ticket/3213
IPA: Uninitialized variable during subdomain check
== Detailed Changelog ==
Fabiano Fidêncio (24):
* PROXY: Use the fqname when converting to lowercase
* SYSDB: Rework sysdb_cache_connect()
* SYSDB: Remove the timestamp cache for a newly created cache
* SECRETS: Return ENOENT when_deleting a non-existent secret
* PROXY: Remove lowercase attribute from save_user()
* PROXY: Remove cache_timeout attribute from save_user()
* PROXY: Remove cache_timeout attribute from save_group()
* PROXY: Mention that save_user()'s parameters are already qualified
* PROXY: Share common code of save_{group,user}()
* BUILD: Add a few more targets for intg tests
* BUILD: Clean up prerelease targets
* BUILD: Fix typo in intgcheck-run rule
* MONITOR: Remove leftovers from diag_cmd
* MONITOR: Remove leftovers from kill_service
* SECRETS: Search by the right type when checking containers
* SECRETS: Don't remove a container when it has children
* CONFIG: Add secrets responder to the allowed sections
* CONFIG: Add secrets provider options
* SECRETS: Make functions from local.c static
* SECRETS: Use a tmp_context on local_db_check_containers()
* SECRETS: Add a configurable depth limit for nested containers
* SECRETS: Add a configurable limit of secrets that can be stored
* TESTS: Remove a leftover debug message
* TESTS: Fix check for py bindings in dlopen tests
Jakub Hrozek (35):
* Updating the version for the 1.14.2 release
* CONFIG: selinux_provider is a valid provider type
* CONFIG: session_provider does not exist anymore
* IPA: Parse qualified names when guessing AD user principal
* MONITOR: Remove the no longer used diag_cmd command
* MONITOR: Remove the no longer used kill_service command
* WATCHDOG: define and use _MAX_TICKS as 3
* SECRETS: Make internal function static
* SECRETS: Make reading the config options more uniform
* netlink: Don't define USE_GNU
* MAN: Document the ldap_user_primary_group option
* TOOLS: Fix a typo in groupadd()
* KRB5: Send the output username, not internal fqname to krb5_child
* KRB5: Return ERR_NETWORK_IO on clock skew
* LDAP: Return partial results from adminlimit exceeded
* TESTS: Add integration tests for the sssd-secrets
* AUTOFS: Fix offline resolution of autofs maps
* NSS: Fix offline resolution of netgroups
* TESTS: Test offline netgroups resolution
* tests: Add a regression test for upstream ticket #3131
* MAN: sssd-secrets documentation
* CONFIG: List allowed secrets responder options
* SECRETS: Add DEBUG messages to the sssd-secrets provider
* SECRETS: Use a better data type for ret
* SECRETS: Fix a typo in function name
* SECRETS: Use HTTP error code 504 when a proxy server cannot be reached
* IPA: Initialize a boolean control value
* tests: Add tests for sidbyname NSS operation
* tests: Add tests for getorig by UPN NSS op
* BUILD: Detect the path of the "service" executable
* BUILD: Only search for service in /sbin and /usr/sbin
* BUILD: Not having /sbin/service is not fatal
* RPM: Require initscripts on non-systemd platforms
* sssctl: Fix a typo in preprocessor macro
* Updating the translations for the 1.14.2 release
Justin Stephenson (4):
* MONITOR: Remove --disable-netlink command-line option
* MONITOR: Add disable_netlink option
* MAN: sssd-sudo manual update IPA native LDAP tree support
* sss_cache: improve option argument handling
Lukas Slebodnik (16):
* sssd_netgroup.py: Resolve nested netgroups
* BUILD: Allow to read private pipes for root
* SPEC: Fix typo in Summary
* SYSDB: Fix uninitialized scalar variable
* BUILD: Remove leftover after sysdb refactoring
* PROXY: Use right name in ldap filter
* SYSDB: Fix error handling in sysdb_get_user_members_recursively
* DEBUG: Apend line feed to messages from libsemanage
* SYSDB: Suppress warning from clang static analyser
* SDAP: Fix settig paging attribute in sdap_get_generic_ext_send
* Remove double semicolon at the end of line
* TESTS: Add simple test for double semicolon
* SSSDConfig: Do not fail with nonexisting domains/services
* SPEC: Rename python packages using macro %python_provide
* BUILD: intgcheck need to fail if pytest fails
* CI: Remove dlopen-test from valgrind blacklist
Michal Židek (12):
* TOOLS: sss_groupshow did not work
* TESTS: sss_groupadd/groupshow regressions
* TOOLS: use internal fqdn for DN
* TESTS: Test for sss_user/groupmod -a
* TOOLS: sss_mc_refresh_nested_group short/fqname usage
* TESTS: Add FQDN variants for some tests
* TOOLS: sss_override without name override
* TEST: Add regression test for ticket #3179
* TOOLS: sss_groupshow fails to show MPG
* TESTS: sss_groupshow with MPG
* MAN: Typo in id mapping explanation
* MAN: Wrong defaults for AD provider
Pavel Březina (7):
* watchdog: cope with time shift
* dyndns: fix typo and unify ipa with ad debug message when off
* failover: proceed normally when no new server is found
* sss_override: improve --debug description
* man page: fix language in debug level description
* sssctl: use systemd D-Bus API
* sssctl: call service with absolute path
Petr Cech (4):
* LDAP: Fixing of removing netgroup from cache
* INTG: Adding support for netgroups to ldap_ent
* INTG: Tests for ldap nested netgroups
* PROXY: Adding proxy_max_children option
Petr Čech (5):
* SYSDB: Removing of unused parameter
* TESTS: Fixing of 'const' warnings in sbus tests
* MAKEFILE: Fixing CFLAGS in some tests
* KRB5: Fixing FQ name of user in krb5_setup()
* TESTS: Adding intg. tests on nested groups
Sumit Bose (8):
* sdap_initgr_nested_get_membership_diff: use fully-qualified names
* p11: only set PKCS11_LOGIN_TOKEN_NAME if gdm-smartcard is used
* p11: return a fully-qualified name
* pam_sss: check PKCS11_LOGIN_TOKEN_NAME
* PAM: call free only when memory is expected to be allocated
* nss: allow UPNs in SSS_NSS_GETSIDBYNAME and SSS_NSS_GETORIGBYNAME
* libwbclient-sssd: update interface to version 0.13
* LDAP: Removing of member link from group
Thomas Equeter (1):
* IFP: expose user and group unique IDs through DBus
7 years
LDAP TLS problem
by c.haul@web.de
Hi all,
I'm failing to setup TLS to OpenLDAP correctly. Running
ldapsearch -x -ZZ -h cube.fritz.box -b dc=fritz,dc=box
works.
However, sssd_fritz.box.log contains
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [sdap_sys_connect_done] (0x0100): Executing START TLS
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null)
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [sdap_cli_connect_recv] (0x0400): Connection established.
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'cube.fritz.box' as 'working'
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [set_server_common_status] (0x0100): Marking server 'cube.fritz.box' as 'working'
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'cube.fritz.box' as 'working'
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=fritz,dc=box]
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uidNumber=11012)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=fritz,dc=box].
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed [5]: Eingabe-/Ausgabefehler
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [sdap_get_users_done] (0x0040): Failed to retrieve users [5][Eingabe-/Ausgabefehler].
(Sun Oct 30 21:49:40 2016) [sssd[be[fritz.box]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
Config is
[domain/fritz.box]
id_provider = ldap
debug_level = 6
ldap_schema = rfc2307
enumerate = false
ldap_uri = ldap://cube.fritz.box
ldap_search_base = dc=fritz,dc=box
ldap_access_filter = memberOf=cn=users,ou=Group,dc=fritz,dc=box
ldap_tls_cacert = /etc/ssl/certs/Local_ROOT_CA.crt
ldap_tls_reqcert = demand
ldap_id_use_start_tls = True
# file /etc/ssl/certs/Local_ROOT_CA.crt
/etc/ssl/certs/Local_ROOT_CA.crt: PEM certificate
# cat /etc/ldap/ldap.conf
BASE dc=fritz,dc=box
URI ldaps://cube.fritz.box
SSL start_tls
TLS_CACERT /etc/ssl/certs/Local_ROOT_CA.crt
TLS_REQCERT demand
All indicates that SSSD terminates the connection.
OpenLDAP log:
Oct 30 21:49:40 cube slapd[14620]: conn=1289 fd=20 ACCEPT from IP=192.168.254.13:55698 (IP=0.0.0.0:389)
Oct 30 21:49:40 cube slapd[14620]: conn=1289 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct 30 21:49:40 cube slapd[14620]: conn=1289 op=0 STARTTLS
Oct 30 21:49:40 cube slapd[14620]: conn=1289 op=0 RESULT oid= err=0 text=
Oct 30 21:49:40 cube slapd[14620]: conn=1289 fd=20 closed (TLS negotiation failure)
Oct 30 21:49:40 cube slapd[14620]: conn=1290 fd=20 ACCEPT from IP=192.168.254.13:55700 (IP=0.0.0.0:389)
Oct 30 21:49:40 cube slapd[14620]: conn=1290 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct 30 21:49:40 cube slapd[14620]: conn=1290 op=0 STARTTLS
Oct 30 21:49:40 cube slapd[14620]: conn=1290 op=0 RESULT oid= err=0 text=
Oct 30 21:49:40 cube slapd[14620]: conn=1290 fd=20 closed (TLS negotiation failure)
Wireshark says:
- correct certificate is presented by OpenLDAP
- clients sends
Secure Sockets Layer
TLSv1.2 Record Layer: Alert (Level: Warning, Description: Close Notify)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Warning (1)
Description: Close Notify (0)
Increasing debug_level doesn't provide more details.
This is on debian sid with
# dpkg -l sssd
ii sssd 1.14.1-1 amd64 System Security Services Daemon -- metapackage
How to proceed?
How to find out more what's wrong with the TLS setup?
TIA,
Chris.
7 years, 1 month
