sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
1 year, 10 months
Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
4 years
'no primary group ID provided' when trying to use ldap mode against AD
by Daniel Hermans
Hi,
i'd like to use sssd in ldap mode against Active Directory so I have defined:
id_provider = ldap
auth_provider = ldap
Yes krb5 would be better but i only have a BIND account and cannot add computer objects.
This 'should' be possible - it works with nslcd. As I don't have Posix attributes i'm using:
ldap_id_mapping = true
fallback_homedir = /home/%d/%u
default_shell = /bin/bash
sssd can bind with LDAPS and can seem to get user info from the domain:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Some User,OU=Admin Accounts,DC=dev,DC=somedomain,DC=com].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_result] (0x2000): Trace: sh[0x7f5d15fbc030], connected[1], ops[0x7f5d1639d140], ldap[0x7f5d15fb5cd0]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_op_destructor] (0x2000): Operation 3 finished
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users
The UID mapping seems to succeed:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Save user
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x4000): Failed to retrieve UUID [2][No such file or directory].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_primary_name] (0x0400): Processing object someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Processing user someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x1000): Mapping user [someuser] objectSID [S-1-5-21-3970895924-989261097-3267629119-1443] to unix ID
But it gets no further with this message:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_idmap_primary_gid] (0x0080): no primary group ID provided
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Cannot get the GID for [someuser] in domain [extdev].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Failed to save user [someuser]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
Have tried against two different domains with identical result ( one a cleanly installed 2012R2 domain ).
Any ideas what I'm doing wrong? Is this possible? Various (old) posts suggests it is.
This was first (incorrectly) posted to sssd-devel, Jakub Hrozek updated and told me to define ldap_idmap_default_domain_sid so sssd no longer reports this:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
Thanks in advance!!
6 years, 7 months
sssd-13.4 can't login
by Longina Przybyszewska
Hi,
Can you help me with a problem I struggle quite a time, that appeared after upgrade to sssd-13.4 (Ubuntu Xenial):
User can not login;
Home directory (nfs) secured with Kerberos, is mounted, with proper idmapping, but user is refused to login to the desktop (lightdm).
Ssh login is possible, but permission denied to access the home directory.
This is setup with:
..
id_provider=ad
use_fully_qualified_names = true
ldap_id_mapping = false
..
In the krb5_child.log I can see suspicious sequence about "krb5_cc_cache_match failed";
Output from the log:
--
Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.933479: Sending request (8186 bytes) to A
DM.C.DOMAIN (tcp only)
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.934588: Resolving hostname host0a.adm.
c.domain.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.936998: Initiating TCP connection to stre
am 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.938147: Sending TCP request to stream 10.
144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.946674: Received answer (8380 bytes) from
stream 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.946720: Terminating TCP connection to str
eam 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948199: Response was not from master KDC
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948264: Decoding FAST response
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948342: FAST reply key: rc4-hmac/12E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948366: TGS reply is for user(a)NAT.C.SD
U.DK -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN with session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948401: TGS request result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948407: Received creds for desired servic
e host/lnx-adm557.a.c.domain(a)A.C.DOMAIN
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948416: Storing user(a)N.C.DOMAIN -> h
ost/lnx-adm557.a.c.domain(a)A.C.DOMAIN in MEMORY:gNruZJ9
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948440: Creating authenticator for user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN, seqnum 0, subkey (null), session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948500: Retrieving host/lnx-adm557.a.c.domain(a)A.C.DOMAIN from MEMORY:/etc/krb5.keytab (vno 6, enctype aes256-cts) with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948585: Decrypted AP-REQ with specified server principal host/lnx-adm557.a.c.domain(a)A.C.DOMAIN: aes256-cts/DDBF
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948594: AP-REQ ticket: user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN, session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948813: Negotiated enctype based on authenticator: aes256-cts
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948828: Initializing MEMORY:rd_req2 with default princ user(a)N.C.DOMAIN
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948837: Storing user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN in MEMORY:rd_req2
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948849: Destroying ccache MEMORY:gNruZJ9
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [validate_tgt] (0x0400): TGT verified using key for [host/lnx-adm557.a.c.domain(a)A.C.DOMAIN].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948876: Retrieving user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN from MEMORY:rd_req2 with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948967: Retrieving LNX-ADM557$(a)A.C.DOMAIN from MEMORY:/etc/krb5.keytab (vno 6, enctype aes256-cts) with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [user\@N.C.DOMAIN(a)A.C.DOMAIN] might not be correct.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.949031: Destroying ccache MEMORY:rd_req2
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_10002_XXXXXX]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal user(a)N.C.DOMAIN in cache collection]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [create_ccache] (0x4000): Initializing ccache of type [FILE]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [create_ccache] (0x4000): returning: 0
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [switch_creds] (0x0200): Switch user to [10002][30000000].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [switch_creds] (0x0200): Already user [10002].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [k5c_send_data] (0x0200): Received error code 0
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [pack_response_packet] (0x2000): response packet size: [138]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [k5c_send_data] (0x4000): Response sent.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [main] (0x0400): krb5_child completed successfully
--
ls -l /tmp/krb5cc_10002_gIeneD
-rw------- 1 user(a)n.c.domain lnx-primary(a)a.c.domain 16482 Oct 25 16:14 /tmp/krb5cc_10002_gIeneD
klist -c /tmp/krb5cc_10002_gIeneD
Ticket cache: FILE:/tmp/krb5cc_10002_gIeneD
Default principal: user(a)N.C.DOMAIN
Valid starting Expires Service principal
10/25/2016 16:14:35 10/26/2016 02:14:35 krbtgt/N.C.DOMAIN(a)N.C.DOMAIN
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 krbtgt/C.SDU.DK(a)N.C.DOMAIN
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 nfs/adm-lnx-nfs0a.a.c.domain@
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 nfs/adm-lnx-nfs0a.a.c.domain(a)A.C.DOMAIN
renew until 10/26/2016 02:14:35
Best,
Longina
7 years
Allow user to login only when backend offline
by Kevin Sullivan
What is the SSSD approach to allowing a user to only login when its backend if offline?
I currently have an OpenLDAP server that I authenticate against via SSSD and PAM to login. Normally, I can log into my machines with the accounts stored in LDAP, however, I would like to still be able to log into those machines even if my LDAP server is not online. I want to have an emergency user that is able to login when LDAP is not online, but I don't want the emergency user to be able to log in when LDAP is online. I don't want to cache credentials and I can't guarantee that the account will have been used to login before LDAP is offline.
What I am currently doing that doesn't work is having a locked account in LDAP for the emergency user. So if someone tries to login as the emergency user it will fail. The emergency user is disabled by the setting `ldap_access_order` to `expire`. Unfortunately, when LDAP is offline, the emergency user still has the locked attribute since the user's attributes are cached. So the emergency user still fails to login.
So my questions are:
1. SSSD is caching my user information (not credentials) when my LDAP server is offline. Is there a way to not cache user information or drop it after a set amount of time?
I don't think there is a way, but I want to ask. I also don't think that this is the SSSD mindset, which leads to my next question.
2. What is the SSSD way to allow a user to only login when its backend is offline?
Is there a way to do special things when a backend if offline? Instead of locking the account through a client-side 'access' check, should I be doing this through a server-side mechanism? Am I missing something incredibly obvious? Is this just a stupid approach to begin with?
I am sure there is a good way to do this, I just don't know enough to figure it out.
Thanks,
Kevin
7 years
generating sss_obfuscate passwords
by Mario Rossi
Hi,
sss_obfuscate is used locally on servers to replace clear text passwords
in sssd.conf. In our environment we have hundreds of servers and what I
usually do is manually generate the password on a test server. I would
like to automate ldap_default_authtok via a php interface or API. This
is needed because we use one bind DN per server and I'd like to build a
web portal where people can request new server bind DNs and randomly
generated passwords.
Is there a way?
Thank you,
Mario
7 years
sssd_be
by Ali, Saqib
Newbie question: What does the be stands for in sssd_be? And what is
the function of the sssd_be?
7 years
HBAC using just SSSD and LDAP
by Ali, Saqib
Hello,
We currently use ldap_access_filter to control who can login into the
machine. But managing these ldap_access_filter across machines is
cumbersome. Is there a better way of implementing HBAC?
Thanks
Saqib
7 years
ldap netgroup refresh interval in SSSD
by Ali, Saqib
sssd has the following config to set the interval for the sudo rules refresh:
ldap_sudo_full_refresh_interval
What is the configuration to set the interval for the netgroup definition retrieval from LDAP?
7 years
Configuring PAM for pam_sss
by Lesley Kimmel
How would a newbie know what sorts of functions the various pam_sss modules (auth/session/password/account) perform in order to decide how to configure them in the PAM stack? I've seen references on Fedorahosted and Red Hat sites but they just tell you exactly what to set by not why or what the modules are doing. The man page for pam_sss also doesn't tell anything about the various modules, only that they are available.
Also, the directed configurations (e.g. https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators...) seem to differ slightly that what actually gets configured if one uses 'authconfig --enablesssd --enablesssdauth --update'.
7 years
