sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
2 years, 3 months
Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
4 years, 5 months
'no primary group ID provided' when trying to use ldap mode against AD
by Daniel Hermans
Hi,
i'd like to use sssd in ldap mode against Active Directory so I have defined:
id_provider = ldap
auth_provider = ldap
Yes krb5 would be better but i only have a BIND account and cannot add computer objects.
This 'should' be possible - it works with nslcd. As I don't have Posix attributes i'm using:
ldap_id_mapping = true
fallback_homedir = /home/%d/%u
default_shell = /bin/bash
sssd can bind with LDAPS and can seem to get user info from the domain:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Some User,OU=Admin Accounts,DC=dev,DC=somedomain,DC=com].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_result] (0x2000): Trace: sh[0x7f5d15fbc030], connected[1], ops[0x7f5d1639d140], ldap[0x7f5d15fb5cd0]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_op_destructor] (0x2000): Operation 3 finished
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users
The UID mapping seems to succeed:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Save user
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x4000): Failed to retrieve UUID [2][No such file or directory].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_primary_name] (0x0400): Processing object someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Processing user someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x1000): Mapping user [someuser] objectSID [S-1-5-21-3970895924-989261097-3267629119-1443] to unix ID
But it gets no further with this message:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_idmap_primary_gid] (0x0080): no primary group ID provided
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Cannot get the GID for [someuser] in domain [extdev].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Failed to save user [someuser]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
Have tried against two different domains with identical result ( one a cleanly installed 2012R2 domain ).
Any ideas what I'm doing wrong? Is this possible? Various (old) posts suggests it is.
This was first (incorrectly) posted to sssd-devel, Jakub Hrozek updated and told me to define ldap_idmap_default_domain_sid so sssd no longer reports this:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
Thanks in advance!!
7 years
sssd-13.4 can't login
by Longina Przybyszewska
Hi,
Can you help me with a problem I struggle quite a time, that appeared after upgrade to sssd-13.4 (Ubuntu Xenial):
User can not login;
Home directory (nfs) secured with Kerberos, is mounted, with proper idmapping, but user is refused to login to the desktop (lightdm).
Ssh login is possible, but permission denied to access the home directory.
This is setup with:
..
id_provider=ad
use_fully_qualified_names = true
ldap_id_mapping = false
..
In the krb5_child.log I can see suspicious sequence about "krb5_cc_cache_match failed";
Output from the log:
--
Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.933479: Sending request (8186 bytes) to A
DM.C.DOMAIN (tcp only)
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.934588: Resolving hostname host0a.adm.
c.domain.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.936998: Initiating TCP connection to stre
am 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.938147: Sending TCP request to stream 10.
144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.946674: Received answer (8380 bytes) from
stream 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.946720: Terminating TCP connection to str
eam 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948199: Response was not from master KDC
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948264: Decoding FAST response
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948342: FAST reply key: rc4-hmac/12E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948366: TGS reply is for user(a)NAT.C.SD
U.DK -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN with session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948401: TGS request result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948407: Received creds for desired servic
e host/lnx-adm557.a.c.domain(a)A.C.DOMAIN
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948416: Storing user(a)N.C.DOMAIN -> h
ost/lnx-adm557.a.c.domain(a)A.C.DOMAIN in MEMORY:gNruZJ9
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948440: Creating authenticator for user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN, seqnum 0, subkey (null), session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948500: Retrieving host/lnx-adm557.a.c.domain(a)A.C.DOMAIN from MEMORY:/etc/krb5.keytab (vno 6, enctype aes256-cts) with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948585: Decrypted AP-REQ with specified server principal host/lnx-adm557.a.c.domain(a)A.C.DOMAIN: aes256-cts/DDBF
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948594: AP-REQ ticket: user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN, session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948813: Negotiated enctype based on authenticator: aes256-cts
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948828: Initializing MEMORY:rd_req2 with default princ user(a)N.C.DOMAIN
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948837: Storing user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN in MEMORY:rd_req2
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948849: Destroying ccache MEMORY:gNruZJ9
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [validate_tgt] (0x0400): TGT verified using key for [host/lnx-adm557.a.c.domain(a)A.C.DOMAIN].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948876: Retrieving user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN from MEMORY:rd_req2 with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948967: Retrieving LNX-ADM557$(a)A.C.DOMAIN from MEMORY:/etc/krb5.keytab (vno 6, enctype aes256-cts) with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [user\@N.C.DOMAIN(a)A.C.DOMAIN] might not be correct.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.949031: Destroying ccache MEMORY:rd_req2
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_10002_XXXXXX]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal user(a)N.C.DOMAIN in cache collection]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [create_ccache] (0x4000): Initializing ccache of type [FILE]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [create_ccache] (0x4000): returning: 0
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [switch_creds] (0x0200): Switch user to [10002][30000000].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [switch_creds] (0x0200): Already user [10002].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [k5c_send_data] (0x0200): Received error code 0
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [pack_response_packet] (0x2000): response packet size: [138]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [k5c_send_data] (0x4000): Response sent.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [main] (0x0400): krb5_child completed successfully
--
ls -l /tmp/krb5cc_10002_gIeneD
-rw------- 1 user(a)n.c.domain lnx-primary(a)a.c.domain 16482 Oct 25 16:14 /tmp/krb5cc_10002_gIeneD
klist -c /tmp/krb5cc_10002_gIeneD
Ticket cache: FILE:/tmp/krb5cc_10002_gIeneD
Default principal: user(a)N.C.DOMAIN
Valid starting Expires Service principal
10/25/2016 16:14:35 10/26/2016 02:14:35 krbtgt/N.C.DOMAIN(a)N.C.DOMAIN
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 krbtgt/C.SDU.DK(a)N.C.DOMAIN
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 nfs/adm-lnx-nfs0a.a.c.domain@
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 nfs/adm-lnx-nfs0a.a.c.domain(a)A.C.DOMAIN
renew until 10/26/2016 02:14:35
Best,
Longina
7 years, 5 months
Allow user to login only when backend offline
by Kevin Sullivan
What is the SSSD approach to allowing a user to only login when its backend if offline?
I currently have an OpenLDAP server that I authenticate against via SSSD and PAM to login. Normally, I can log into my machines with the accounts stored in LDAP, however, I would like to still be able to log into those machines even if my LDAP server is not online. I want to have an emergency user that is able to login when LDAP is not online, but I don't want the emergency user to be able to log in when LDAP is online. I don't want to cache credentials and I can't guarantee that the account will have been used to login before LDAP is offline.
What I am currently doing that doesn't work is having a locked account in LDAP for the emergency user. So if someone tries to login as the emergency user it will fail. The emergency user is disabled by the setting `ldap_access_order` to `expire`. Unfortunately, when LDAP is offline, the emergency user still has the locked attribute since the user's attributes are cached. So the emergency user still fails to login.
So my questions are:
1. SSSD is caching my user information (not credentials) when my LDAP server is offline. Is there a way to not cache user information or drop it after a set amount of time?
I don't think there is a way, but I want to ask. I also don't think that this is the SSSD mindset, which leads to my next question.
2. What is the SSSD way to allow a user to only login when its backend is offline?
Is there a way to do special things when a backend if offline? Instead of locking the account through a client-side 'access' check, should I be doing this through a server-side mechanism? Am I missing something incredibly obvious? Is this just a stupid approach to begin with?
I am sure there is a good way to do this, I just don't know enough to figure it out.
Thanks,
Kevin
7 years, 5 months
generating sss_obfuscate passwords
by Mario Rossi
Hi,
sss_obfuscate is used locally on servers to replace clear text passwords
in sssd.conf. In our environment we have hundreds of servers and what I
usually do is manually generate the password on a test server. I would
like to automate ldap_default_authtok via a php interface or API. This
is needed because we use one bind DN per server and I'd like to build a
web portal where people can request new server bind DNs and randomly
generated passwords.
Is there a way?
Thank you,
Mario
7 years, 5 months
sssd_be
by Ali, Saqib
Newbie question: What does the be stands for in sssd_be? And what is
the function of the sssd_be?
7 years, 5 months
HBAC using just SSSD and LDAP
by Ali, Saqib
Hello,
We currently use ldap_access_filter to control who can login into the
machine. But managing these ldap_access_filter across machines is
cumbersome. Is there a better way of implementing HBAC?
Thanks
Saqib
7 years, 5 months
ldap netgroup refresh interval in SSSD
by Ali, Saqib
sssd has the following config to set the interval for the sudo rules refresh:
ldap_sudo_full_refresh_interval
What is the configuration to set the interval for the netgroup definition retrieval from LDAP?
7 years, 5 months
Configuring PAM for pam_sss
by Lesley Kimmel
How would a newbie know what sorts of functions the various pam_sss modules (auth/session/password/account) perform in order to decide how to configure them in the PAM stack? I've seen references on Fedorahosted and Red Hat sites but they just tell you exactly what to set by not why or what the modules are doing. The man page for pam_sss also doesn't tell anything about the various modules, only that they are available.
Also, the directed configurations (e.g. https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators...) seem to differ slightly that what actually gets configured if one uses 'authconfig --enablesssd --enablesssdauth --update'.
7 years, 5 months
UID Auto-increment reset
by Lesley Kimmel
I noticed that when I create a user in the local provider with sss_useradd that the uid's begin at 1000 (or the next available based on current local users in /etc/passwd) and they increment each time as expected. However, if I add a user with sss_useradd and then immediately delete him the next created user still uses the next higher UID instead of the one freed up from the previous user. This still happens if I clear all sssd cache. Is there a way to reset this counter without explicitly specifying the UID with '-u'?
7 years, 5 months
UID < 1000 Configurable?
by Lesley Kimmel
I was just playing with the sssd local provider and attempting to create a user like 'sss_useradd -u 999 <username>' and I get the error 'The selected UID is outside the allowed range'. Setting UID_MIN in sssd.conf and/or login.defs does not seem to help. Is this a hard-coded limitation?
7 years, 5 months
sssd monitor_quit_signal - causes? No matching domain found for [root], fail!
by Richard Collins
Running Red Hat Enterprise Linux Server release 6.5 (Santiago) - 2.6.32-431.el6.x86_64
SSSD version: sssd-1.13.3-22.el6_8.4.x86_64
I'm seeing (seemingly random?) shutdown/termination of sssd across multiple nodes, all with the same configuration. To my knowledge there is no process going around killing things, we even have a scheduled job to check sssd status and restart every 5 minutes if unavailable:
/var/log/sssd/sssd.log:284469:(Mon Sep 26 12:21:29 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command
/var/log/sssd/sssd.log:318707:(Mon Sep 26 16:19:19 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command
/var/log/sssd/sssd.log:321889:(Mon Sep 26 16:43:12 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command
/var/log/sssd/sssd.log:474327:(Tue Sep 27 10:29:39 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command
/var/log/sssd/sssd.log:475205:(Tue Sep 27 10:34:36 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command
Right before each shutdown, there are lots of the following nss_cmd_getbynam and sss_ncache_check_str entries for 'root' in sssd_nss.log:
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38][SSS_NSS_INITGR] with input [root].
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [<ALL>]
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/MYDOMAIN/root]
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): User [root] does not exist in [MYDOMAIN]! (negative cache)
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0080): No matching domain found for [root], fail!
(Mon Sep 26 16:43:11 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xf7e120][24]
(Mon Sep 26 16:43:12 2016) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down
(Mon Sep 26 16:43:12 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xf7e120][24]
(Mon Sep 26 16:43:12 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xf840e0][23]
(Mon Sep 26 16:43:12 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xf7b500][22]
Corresponding AD log for same period:
(Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x142aa90
(Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1440c50/0x143e080
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1440c50/0x143e030
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x143eb00
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_client_destructor] (0x0400): Removed SUDO client
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1444030/0x14420b0
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1444030/0x1442060
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x1443250
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_client_destructor] (0x0400): Removed PAM client
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x143d070/0x142c0d0
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x143d070/0x142aeb0
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x143c570
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_client_destructor] (0x0400): Removed NSS client
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_ptask_destructor] (0x0400): Terminating periodic task [SUDO Smart Refresh]
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_ptask_destructor] (0x0400): Terminating periodic task [SUDO Full Refresh]
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sdap_handle_release] (0x2000): Trace: sh[0x14f9ff0], connected[1], ops[(nil)], ldap[0x1449c10], destructor_lock[0], release_memory[0]
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x142f250/0x1417480
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_socket_symlink] (0x4000): The symlink points to [/var/lib/sss/pipes/private/sbus-dp_MYDOMAIN.11328]
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_socket_symlink] (0x4000): The path including our pid is [/var/lib/sss/pipes/private/sbus-dp_MYDOMAIN.11328]
(Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_socket_symlink] (0x4000): Removed the symlink
AD controllers are WIN2012R2
SSSD is configured with a single domain (MYDOMAIN)
######begin sssd.conf (redacted)#####
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = MYDOMAIN
debug_level = 9
[nss]
default_shell = /bin/bash
debug_level = 9
filter_users = root
filter_groups = root
[pam]
debug_level = 9
[sudo]
debug_level = 9
[domain/MYDOMAIN]
id_provider = ldap
access_provider = simple
cache_credentials = false
debug_level = 9
ldap_server = _srv_
ldap_search_base = #########
ldap_id_use_start_tls = true
ldap_tls_reqcert = allow
ldap_default_bind_dn = #########
ldap_default_authtok_type = password
ldap_default_authtok = #########
ldap_user_search_base = ou=BusinessUnits,dc=mydomain
ldap_user_object_class = user
ldap_id_mapping = true
ldap_schema = ad
ldap_group_search_base = #########
ldap_group_object_class = group
ldap_referrals = false
enumerate = false
override_homedir = /export/home/%u
ldap_group_nesting_level = 5
ldap_use_tokengroups = false
simple_allow_groups = sasi,sasadmin,sasmgt ldap_access_order = expire ldap_account_expire_policy = ad
######end sssd.conf#####
This document is strictly confidential and is intended for use by the addressee unless otherwise indicated. Allied Irish Banks AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Central Bank of Ireland. Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173. ~~~~~~~Please consider the environment before printing this Email~~~~~~~~ This email has been scanned by an external Email Security System. This Disclaimer has been generated by CMDis
7 years, 5 months
UIDs and GIDs closely to the max range available
by mg_gonzalez8@hotmail.com
Hi all, thanks for your time. I have a question regarding to the 'ldap_idmap_range_max = 2000100000'. I have users with UIDs and GIDs closely to the max range available. How I can prevent to maintain under this max range? or There's any other solution to restrict the sssd configuration to only retrieve users and groups from an AD ?.
I already tried with "ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)".
(Ubuntu 14.04 LTS)
7 years, 5 months
SSH AuthorizedKeysCommand and SSSD default_domain_suffix
by Troels Hansen
Hi there
After default_domain_suffix finally began working corretly in SSSD 1.14 we have started using it, but have found a side affect og not logging in with full domain:
We currently have some AD domain users having a override on out IPA servers, where they have added their SSH key.
If AuthorizedKeysCommand is set to sss_ssh_authorizedkeys in SSH without a domain (-d) it will not try to look up the users SSH key
I would suppose that sss_ssh_authorizedkeys should at least try to look up the user with the default_domain_suffix from sssd.conf?
Even better would probably be to implement a fallback to try both the configured ipa_domain and default_domain_suffix?
--
Med venlig hilsen
Troels Hansen
Systemkonsulent
Casalogic A/S
T (+45) 70 20 10 63
M (+45) 22 43 71 57
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
7 years, 5 months
sssd simple_allow_groups & ad not working
by brettswift@gmail.com
RHEL 6.4
sssd v1.11.6
Preface : I'm just recently absorbing sssd so I might be missing something here. I assume that you can use the simple access provider with the ad id_provider.
In my domain section:
cache_credentials = true
id_provider = ad
auth_provider = ad
access_provider = simple
default_shell = /bin/bash
fallback_homedir = /home/%u
use_fully_qualified_names = false
ignore_group_members = true
And below I've tried a few things in the domain section:
simple_allow_users = bswift ---> this works!
simple_allow_groups = sjrb.lg.it.cfg.cdo --> this doesn't work :(
I'd really prefer to use the simple provider as it's just easier to configure. We are using puppet as our config management tool so non-admins could submit pull requests via git and they'd only have to know a simpler user API, and not understand SSSD or LDAP queries.
Is this a deficiency in the version I'm using?
I found a post on this forum where setting "ldap_use_tokengroups = false" might help, tried that.. didn't help.
debug_level = 7 gives me this log output (just the last few lines)
(Wed Nov 16 08:26:48 2016) [sssd[be[SJRB.AD]]] [simple_access_obtain_filter_lists] (0x0200): Allow users list is empty.
(Wed Nov 16 08:26:48 2016) [sssd[be[SJRB.AD]]] [simple_access_obtain_filter_lists] (0x0200): Deny users list is empty.
(Wed Nov 16 08:26:48 2016) [sssd[be[SJRB.AD]]] [simple_access_obtain_filter_lists] (0x0200): Deny groups list is empty.
(Wed Nov 16 08:26:48 2016) [sssd[be[SJRB.AD]]] [simple_access_check_send] (0x0200): Simple access check for bswift
(Wed Nov 16 08:26:48 2016) [sssd[be[SJRB.AD]]] [simple_check_get_groups_send] (0x1000): Looking up groups for user bswift
(Wed Nov 16 08:26:48 2016) [sssd[be[SJRB.AD]]] [simple_check_get_groups_send] (0x0400): User bswift is a member of 74 supplemental groups
(Wed Nov 16 08:26:48 2016) [sssd[be[SJRB.AD]]] [simple_check_get_groups_send] (0x0400): All groups had name attribute
(Wed Nov 16 08:26:48 2016) [sssd[be[SJRB.AD]]] [simple_access_check_recv] (0x1000): Access not granted
One thing that may be causing this is in AD under this group name, I see this:
"To enable access to this group for UNIX clients you will need to specify the NIS domain this group belongs to." However the dropdown is empty (maybe access rights as I'm not the domain admin).
Sometimes what you read on a windows box isn't the full truth.. maybe it is in this case?
Any direction here would be appreciated.
Thanks!
7 years, 5 months
Question about AD authentication and trusts
by Guy Knights
Hi,
Can anyone confirm for me if SSSD supports authentication of users
belonging to a trusted domain via an AD controller in the trusting domain?
ie. A user attempts to log in as fred(a)test1.example.com on a client machine
running SSSD, where SSSD has joined a domain test2.example.com and there is
a 2-way forest trust between both domains. Is this supported? I've been
trying to do so and so far it hasn't been working.
For the record, my setup is:
AD controller domain test1: Windows server 2012 R2
AD controller domain test2: Windows server 2012 R2
Ubuntu 14.04 client running SSSD 1.12.5
Thanks,
Guy
7 years, 5 months
Only one (main) group listed for users
by gstaniak@gmail.com
Hi,
I've been trying to set up a Fedora 24 Linux notebook to integrate with company AD using realmd+sssd. The sssd.conf is pretty simple:
[pam]
offline_credentials_expiration = 31
debug_level = 6
[sssd]
domains = the.domain
config_file_version = 2
services = nss, pam
debug_level = 6
[domain/the.domain]
ad_domain = the.domain
krb5_realm = THE.DOMAIN
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
ldap_schema = rfc2307bis
#ldap_group_member = uniqueMember
debug_level = 6
enumerate = true
I joined the realm/AD without any problems, but when I log in as an AD user, running 'id' and 'groups' lists just one (main) group for my user. However, when I run the command 'id <username>' and 'groups <username>' from the root account OR a local user account, all groups that the <username> belongs to are listed. I suspected local group membership, so I added the AD user to the same groups as the local user, but that didn't improve the situation.
After I tried to add the "ldap_group_option" (commented out above), purged the cache and restart sssd, I lost the group listings even from the root and local account: they all now list just the highest level "domain users" group for the user in 'id' and 'groups' output, and instead of a long list of names as the result of 'getent group domain\ users' all I get now is:
# getent group domain\ users
domain users:*:1763200513:$d3f33f9-6c0c33b5b410283,$bfb716e9-67211aebe1652897,$f45c71f7-5ed7e3c5d1020d99
What could be the reason for this? How can I debug the issue?
Thanks,
Greg
7 years, 5 months
I have no name prompt and no passwords recognized
by Ronny Forberger
Hi,
I am using SSSD and FreeBSD to authenticate against samba4.
I used this howto setting all up:
http://serverfault.com/questions/599200/how-to-integrate-active-directory...
But when I want to logon using password, i.e. via dovecot I get wrong password.
Neigher can I use sudo typing the correct samba4 password.
Also I get a prompt [I have no name!@HOSTNAME] and my files, which I chowned &
chgrped to the samba user and group only show IDs as owner.
I have already asked on the FreeBSD maillinglist, but they couldn't help me.
Any ideas how to solve this? Can this maybe be a permission problem with some
file for sssd / NSS which an unprivileged user cannot read?
I have set UNIX attributes on the user I want to logon with.
Best regards,
Ronny Forberger
7 years, 5 months
sssd cannot modify the mtime of krb5.conf
by Ronny Forberger
Hi,
I get the following error on sssd on FreeBSD:
(Fri Nov 11 18:15:36 2016) [sssd[be[ronnyforberger.de]]] [sss_krb5_touch_config] (0x0020):
Unable to change mtime of "${prefix}/etc/krb5.conf" [2]: No such file or
directory
(Fri Nov 11 18:15:36 2016) [sssd[be[ronnyforberger.de]]] [sss_write_domain_mappings]
(0x0020): Unable to change last modification time of krb5.conf. Created mappings may not
be loaded.
The krb5.conf is owned and writeable by root and sssd also runs as root.
What can be the problem?
Best regards,
Ronny
7 years, 6 months
sssd.conf and /var/lib/sss/db/config.ldb
by Daniel Hermans
Hi,
not sure if a bug or not but a quick warning that hopefully may save someone some time!
We use puppet to install sssd based on a condition. we:
- yum install -y sssd
- authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --enablemkhomedir --enablecachecreds --update ( to setup PAM and nsswitch - not sure if ALL of these are necessary? )
- copy over our private config ( as you can't do all of the config with authconfig that i can see? )
This didn't work - intermittently sssd was using a 'stale' config. After much headbutting issue was twofold:
- sssd is started and activated by the authconfig command, this creates config.ldb and cache_default.ldb
- puppet writes the config file immediately and sssd restarted
- sssd compares modification time of /etc/sssd/sssd.conf with /var/lib/sss/db/config.ldb and, because the times are the same ( written in the same minute ), IT IGNORES the new config file
Solution:
- add a '--nostart' to the authconfig to stop the initial start, this will prevent creation of the cache. Copy over the config and then start/enable ( which will create the cache ).
Not sure if related but there is a TODO in the code around this area (src/confdb/confdb_setup.c)
ret = sss_ini_get_mtime(init_data, sizeof(timestr), timestr);
if (ret <= 0 || ret >= (int)sizeof(timestr)) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to convert time_t to string ??\n");
ret = errno ? errno : EFAULT;
}
/* FIXME: Determine if the conf file or any snippet has changed
* since we last updated the confdb or if some snippet was
* added or removed.
*/
Puppet then
7 years, 6 months
Problem mixed provider
by Michael Wandel
Hey,
I want to setup the following scenario.
- the nss will be used from the local source (/etc/passwd, /etc/group)
- the pam authentication will come from ldap that will exist on an
Windows AD server
the OS is an centos 7.2.
the actual test setup gives me some errors that i did not understand
------------ sssd.conf ----------------
[sssd]
config_file_version = 2
services = pam, nss
domains = testad
[nss]
[pam]
[domain/testad]
id_provider = proxy
proxy_lib_name = files
auth_provider = ldap
ldap_schema = AD
ldap_default_bind_dn = cn=administrator,cn=users,dc=example,dc=com
ldap_default_authtok=XXXXXXXXXXXX
ldap_uri = ldaps://192.168.122.222:3269/
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
-------- sssd_testad.log -----------------------------
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [set_server_common_status]
(0x0100): Marking server '192.168.122.222' as 'working'
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [fo_set_port_status]
(0x0400): Marking port 3269 of duplicate server '192.168.122.222' as
'working'
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]]
[sdap_search_user_next_base] (0x0400): Searching for users with base
[dc=example,dc=com]
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(sAMAccountName=testnutzer1)(objectclass=user))][dc=example,dc=com].
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Operations
error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, v1db1
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]]
[sdap_get_generic_op_finished] (0x0040): Unexpected result from ldap:
Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, v1db1
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]]
[generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed
[5]: Eingabe-/Ausgabefehler
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [get_user_dn_done]
(0x0040): Failed to retrieve users
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [be_pam_handler_callback]
(0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (Systemfehler)]
it will be great if somebody can say, if it is a structural problem or a
misconfiguration.
any helpful tip would be appreciated.
best regards
Michael
m.wandel(a)t-online.de
7 years, 6 months
Windows 10 prefers NTLMSSP to KRB5
by johnnykimble@gmail.com
Hi all,
I've posted a thread about this on the Samba mailing list and been redirected to the SSSD experts here (see https://lists.samba.org/archive/samba/2016-November/204371.html)
I'm using a Samba file server as a domain member in a Windows 2012 AD domain. Everything works correctly as a pre-Windows 10 user (8.1 and 7), with authentication of domain users being handled by SSSD, as well as resolution of the SIDs on the Samba share. However, when Windows 10 connects to the Samba share, it presents (or selects) only 1 GSS-API mechanism, NTLMSSP.
My preference for SSSD over Winbind was because I don't need to support NTLM and prefer the most secure KRB5.
Is it possible to configure SSSD (if indeed it's SSSDs responsibility...) so that NTLMSSP is not presented as a GSS-API mechanism? Any ideas why Windows 10 would be behaving in what looks to be a less secure fashion to previous Windows versions?
Many thanks,
JK
7 years, 6 months
special sssd use, id_provider=proxy, auth_provider=ldap
by Michael Wandel
Hey,
i"m strugglin a bit with my sssd configuration. We want to use local accounts (users and groups) and as authentication should be the ldap from the windows AD used. My current configuration throws some errors that i can't understand.
---------- sssd.conf ------------
[sssd]
config_file_version = 2
services = pam, nss
domains = testad
[nss]
[pam]
[domain/testad]
id_provider = proxy
proxy_lib_name = files
auth_provider = ldap
ldap_schema = AD
ldap_default_bind_dn = cn=administrator,cn=users,dc=example,dc=com
ldap_default_authtok=XXXXXXXXXXXX
ldap_uri = ldaps://192.168.122.222:3269/
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
----------- sssd_testad.log ---------------------
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_search_user_next_base] (0x04
00): Searching for users with base [dc=example,dc=com]
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_get_generic_ext_step] (0x040
0): calling ldap_search_ext with [(&(sAMAccountName=testnutzer1)(objectclass=use
r))][dc=example,dc=com].
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_get_generic_op_finished] (0x
0400): Search result: Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, com
ment: In order to perform this operation a successful bind must be completed on
the connection., data 0, v1db1
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_get_generic_op_finished] (0x
0040): Unexpected result from ldap: Operations error(1), 000004DC: LdapErr: DSID
-0C0906E8, comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, v1db1
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [generic_ext_search_handler] (0x00
40): sdap_get_generic_ext_recv failed [5]: Eingabe-/Ausgabefehler
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [get_user_dn_done] (0x0040): Faile
d to retrieve users
Every tip is welcome, i"m not sure if it is possible to use this combination of id / auth provider.
best regards
Michael Wandel
7 years, 6 months
Announcing SSSD 1.14.2
by Jakub Hrozek
=== SSSD 1.14.2 ===
The SSSD team is proud to announce the release of version 1.14.2 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Several more regressions caused by cache refactoring to use qualified names internally were fixed, including a regression that prevented the krb5_map_user option from working correctly.
* A regression when logging in with a smart card using the GDM login manager was fixed
* SSSD now removes the internal timestamp on startup cache when the persistent cache is removed. This enables admins to follow their existing workflow of just removing the persistent cache and start from a fresh slate
* Several fixes to the sssd-secrets responder are present in this release
* A bug in the autofs responder that prevented automounter maps from being returned when sssd_be was offline was fixed
* A similar bug in the NSS responder that prevented netgroups from being returned when sssd_be was offline was fixed
* Disabling the netlink integration can now be done with a new option disable_netlink. Previously, the netlink integration could be disabled with a sssd command line switch, which is being deprecated in this release.
* The internal watchdog no longer kills sssd processes in case time shifts during sssd runtime
* The fail over code is able to cope with concurrent SRV resolution requests better in this release
* The proxy provider gained a new option proxy_max_children that allows the administrator to control the maximum number of child helper processes that authenticate users with auth_provider=proxy
* The InfoPipe D-Bus responder exports the UUIDs of user and group objects through a uniqueID property
== Packaging Changes ==
* The private pipe directory permissions were changed from 0700 to 0750. The restrictive permissions we causing SELinux dac_override denials
* The Python packages for python2 were renamed from python-package to python2-package with backwards-compatible Provides and Obsoletes
* The sssd-common subpackage contains a new manual page sssd-secrets(5)
* The sssd-tools subpackage explicitly Requires /sbin/service on platforms that don't support systemd in order to be able to restart sssd from the sssctl tool
== Documentation Changes ==
* The kill_service option that was no longer useful after we moved from in-process pings to watchdog was removed
* The --disable-netlink sssd(8) command-line option was removed in favor of [sssd] section option disable_netlink
* The proxy_max_children option was added. Please see the highlights section for more details.
* The sssd-secrets responder gained a man page in this release.
* Two new options containers_nest_level and max_secrets options were added to the sssd-secrets responder. The former allows the administrator to configure the maximum nesting level of secrets containers, the latter allows the administrator to configure the maximum number of secrets that can be stored. Please note that both option apply to the local secrets provider only.
* The sssd-ldap man page didn't specify different default for user and group name LDAP attribute default for the AD provider. This documentation bug was fixed.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/2813
man page for sss_override command provides irrelevant information for --debug option
https://fedorahosted.org/sssd/ticket/2841
sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)
https://fedorahosted.org/sssd/ticket/3051
Move the diag_cmd option so that it's usable by the watchdog.
https://fedorahosted.org/sssd/ticket/3052
Remove the no longer used kill_service command
https://fedorahosted.org/sssd/ticket/3053
The sssd-secrets responder needs a manpage
https://fedorahosted.org/sssd/ticket/3054
Create integration tests for the sssd-secrets responder
https://fedorahosted.org/sssd/ticket/3056
The sssctl tool should restart the service with systemd's dbus API
https://fedorahosted.org/sssd/ticket/3107
Python SSSD Config API deletes an item during iteration
https://fedorahosted.org/sssd/ticket/3123
Netgroup resolution doesn't work offline
https://fedorahosted.org/sssd/ticket/3125
secrets responder throws an internal error when trying to delete a non-existent secret
https://fedorahosted.org/sssd/ticket/3127
SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side
https://fedorahosted.org/sssd/ticket/3128
throw away the timestamp cache if re-initializing the persistent cache
https://fedorahosted.org/sssd/ticket/3134
sssd is not able to authenticate with alias
https://fedorahosted.org/sssd/ticket/3137
secrets: creating a secret in a container doesn't work
https://fedorahosted.org/sssd/ticket/3140
autofs map resolution doesn't work offline
https://fedorahosted.org/sssd/ticket/3142
expose disabling the netlink support as a sssd.conf option
https://fedorahosted.org/sssd/ticket/3143
selinux avc denial for vsftp login as ipa user
https://fedorahosted.org/sssd/ticket/3145
Update sssd-sudo man page to reflect native sudo support
https://fedorahosted.org/sssd/ticket/3154
sssd exits if clock is adjusted backwards after boot
https://fedorahosted.org/sssd/ticket/3163
resolving IPA nested user group is broken in 1.14
https://fedorahosted.org/sssd/ticket/3165
login using gdm calls for gdm-smartcard when smartcard authentication is not enabled
https://fedorahosted.org/sssd/ticket/3167
SECRETS: Deleting a container that has children should fail
https://fedorahosted.org/sssd/ticket/3168
secrets: Add a configurable depth limit for containers
https://fedorahosted.org/sssd/ticket/3172
Access denied for user when access_provider = krb5 is set in sssd.conf
https://fedorahosted.org/sssd/ticket/3173
unable to create group in sssd cache
https://fedorahosted.org/sssd/ticket/3174
Clock skew makes SSSD return System Error
https://fedorahosted.org/sssd/ticket/3175
sss_groupshow does not work
https://fedorahosted.org/sssd/ticket/3178
unable to add local user in sssd to a group in sssd
https://fedorahosted.org/sssd/ticket/3179
sss_override fails to export
https://fedorahosted.org/sssd/ticket/3180
sss_cache -r option does not print error message if more than one argument is supplied
https://fedorahosted.org/sssd/ticket/3181
libwbclient-sssd: update interface to version 0.13
https://fedorahosted.org/sssd/ticket/3184
sss_groupshow <user> fails with error "No such group in local domain. Printing groups only allowed in local domain"
https://fedorahosted.org/sssd/ticket/3185
SSSD goes offline when the LDAP server returns sizelimit exceeded
https://fedorahosted.org/sssd/ticket/3188
krb5_map_user doesn't seem effective anymore
https://fedorahosted.org/sssd/ticket/3194
[RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases
https://fedorahosted.org/sssd/ticket/3205
Typo In SSSD-AD Man Page
https://fedorahosted.org/sssd/ticket/3207
SSSD logs error upon adding [secrets] section.
https://fedorahosted.org/sssd/ticket/3212
secrets: 500 internal server error when proxy is defined but not running
https://fedorahosted.org/sssd/ticket/3213
IPA: Uninitialized variable during subdomain check
== Detailed Changelog ==
Fabiano Fidêncio (24):
* PROXY: Use the fqname when converting to lowercase
* SYSDB: Rework sysdb_cache_connect()
* SYSDB: Remove the timestamp cache for a newly created cache
* SECRETS: Return ENOENT when_deleting a non-existent secret
* PROXY: Remove lowercase attribute from save_user()
* PROXY: Remove cache_timeout attribute from save_user()
* PROXY: Remove cache_timeout attribute from save_group()
* PROXY: Mention that save_user()'s parameters are already qualified
* PROXY: Share common code of save_{group,user}()
* BUILD: Add a few more targets for intg tests
* BUILD: Clean up prerelease targets
* BUILD: Fix typo in intgcheck-run rule
* MONITOR: Remove leftovers from diag_cmd
* MONITOR: Remove leftovers from kill_service
* SECRETS: Search by the right type when checking containers
* SECRETS: Don't remove a container when it has children
* CONFIG: Add secrets responder to the allowed sections
* CONFIG: Add secrets provider options
* SECRETS: Make functions from local.c static
* SECRETS: Use a tmp_context on local_db_check_containers()
* SECRETS: Add a configurable depth limit for nested containers
* SECRETS: Add a configurable limit of secrets that can be stored
* TESTS: Remove a leftover debug message
* TESTS: Fix check for py bindings in dlopen tests
Jakub Hrozek (35):
* Updating the version for the 1.14.2 release
* CONFIG: selinux_provider is a valid provider type
* CONFIG: session_provider does not exist anymore
* IPA: Parse qualified names when guessing AD user principal
* MONITOR: Remove the no longer used diag_cmd command
* MONITOR: Remove the no longer used kill_service command
* WATCHDOG: define and use _MAX_TICKS as 3
* SECRETS: Make internal function static
* SECRETS: Make reading the config options more uniform
* netlink: Don't define USE_GNU
* MAN: Document the ldap_user_primary_group option
* TOOLS: Fix a typo in groupadd()
* KRB5: Send the output username, not internal fqname to krb5_child
* KRB5: Return ERR_NETWORK_IO on clock skew
* LDAP: Return partial results from adminlimit exceeded
* TESTS: Add integration tests for the sssd-secrets
* AUTOFS: Fix offline resolution of autofs maps
* NSS: Fix offline resolution of netgroups
* TESTS: Test offline netgroups resolution
* tests: Add a regression test for upstream ticket #3131
* MAN: sssd-secrets documentation
* CONFIG: List allowed secrets responder options
* SECRETS: Add DEBUG messages to the sssd-secrets provider
* SECRETS: Use a better data type for ret
* SECRETS: Fix a typo in function name
* SECRETS: Use HTTP error code 504 when a proxy server cannot be reached
* IPA: Initialize a boolean control value
* tests: Add tests for sidbyname NSS operation
* tests: Add tests for getorig by UPN NSS op
* BUILD: Detect the path of the "service" executable
* BUILD: Only search for service in /sbin and /usr/sbin
* BUILD: Not having /sbin/service is not fatal
* RPM: Require initscripts on non-systemd platforms
* sssctl: Fix a typo in preprocessor macro
* Updating the translations for the 1.14.2 release
Justin Stephenson (4):
* MONITOR: Remove --disable-netlink command-line option
* MONITOR: Add disable_netlink option
* MAN: sssd-sudo manual update IPA native LDAP tree support
* sss_cache: improve option argument handling
Lukas Slebodnik (16):
* sssd_netgroup.py: Resolve nested netgroups
* BUILD: Allow to read private pipes for root
* SPEC: Fix typo in Summary
* SYSDB: Fix uninitialized scalar variable
* BUILD: Remove leftover after sysdb refactoring
* PROXY: Use right name in ldap filter
* SYSDB: Fix error handling in sysdb_get_user_members_recursively
* DEBUG: Apend line feed to messages from libsemanage
* SYSDB: Suppress warning from clang static analyser
* SDAP: Fix settig paging attribute in sdap_get_generic_ext_send
* Remove double semicolon at the end of line
* TESTS: Add simple test for double semicolon
* SSSDConfig: Do not fail with nonexisting domains/services
* SPEC: Rename python packages using macro %python_provide
* BUILD: intgcheck need to fail if pytest fails
* CI: Remove dlopen-test from valgrind blacklist
Michal Židek (12):
* TOOLS: sss_groupshow did not work
* TESTS: sss_groupadd/groupshow regressions
* TOOLS: use internal fqdn for DN
* TESTS: Test for sss_user/groupmod -a
* TOOLS: sss_mc_refresh_nested_group short/fqname usage
* TESTS: Add FQDN variants for some tests
* TOOLS: sss_override without name override
* TEST: Add regression test for ticket #3179
* TOOLS: sss_groupshow fails to show MPG
* TESTS: sss_groupshow with MPG
* MAN: Typo in id mapping explanation
* MAN: Wrong defaults for AD provider
Pavel Březina (7):
* watchdog: cope with time shift
* dyndns: fix typo and unify ipa with ad debug message when off
* failover: proceed normally when no new server is found
* sss_override: improve --debug description
* man page: fix language in debug level description
* sssctl: use systemd D-Bus API
* sssctl: call service with absolute path
Petr Cech (4):
* LDAP: Fixing of removing netgroup from cache
* INTG: Adding support for netgroups to ldap_ent
* INTG: Tests for ldap nested netgroups
* PROXY: Adding proxy_max_children option
Petr Čech (5):
* SYSDB: Removing of unused parameter
* TESTS: Fixing of 'const' warnings in sbus tests
* MAKEFILE: Fixing CFLAGS in some tests
* KRB5: Fixing FQ name of user in krb5_setup()
* TESTS: Adding intg. tests on nested groups
Sumit Bose (8):
* sdap_initgr_nested_get_membership_diff: use fully-qualified names
* p11: only set PKCS11_LOGIN_TOKEN_NAME if gdm-smartcard is used
* p11: return a fully-qualified name
* pam_sss: check PKCS11_LOGIN_TOKEN_NAME
* PAM: call free only when memory is expected to be allocated
* nss: allow UPNs in SSS_NSS_GETSIDBYNAME and SSS_NSS_GETORIGBYNAME
* libwbclient-sssd: update interface to version 0.13
* LDAP: Removing of member link from group
Thomas Equeter (1):
* IFP: expose user and group unique IDs through DBus
7 years, 6 months
1.14.2 insists on using StartTLS
by Michael Ströder
HI!
With sssd-ldap I always prefer to use LDAPS for encrypted LDAP connections
especially because I can seamlessly mix it with LDAPI (for accessing local slapd
replica).
This works with 1.13.x but not with 1.14.2.
Although the domain debug log shows
Option ldap_id_use_start_tls is FALSE
the syslog shows:
sssd[be[AE-DIR]]: Could not start TLS encryption. unknown error
Switching sssd.conf to use StartTLS everything works (CA cert ok etc.) but
that's not what I want (because LDAPI precludes using StartTLS).
Ciao, Michael.
7 years, 6 months
Issue with SSSD in a Parent and child domain configuration
by downloader009@gmail.com
Hi,
I have a domain "example.com" which has several child domains "abc.example.com", "def.example.com", "ghi.example.com".
I have joined my CentOS 6.8 server to the domain "example.com" using adcli and my sssd version is sssd-1.13.3-22
Here is my sssd.conf:
====================== BEGIN =======================
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = example.com
[pam]
pam_id_timeout = 20
[domain/example.com]
id_provider = ad
auth_provider = ad
ldap_id_mapping = true
cache_credentials = true
override_homedir = /home/%u
subdomain_enumerate = all
krb5_auth_timeout = 20
[nss]
override_shell = /bin/bash
======================== END =========================
I have user1 in example.com and user2 in abc.example.com
when I run "getent passwd user1" I get the expected output.
user1:*:123456789:987654321:User 1:/home/user1:/bin/bash
But when I run "getent passwd user2", I do not get any output.
And when I run "getent passwd user2(a)abc.example.com", I get the output as follows;
user2@abc.infores.com:*:123456780:987654321:User 2:/home/user2:/bin/bash
I would like to use only the username (without the child domain name suffix) for all purposes (login/id command/getent command etc).
How can I get the getent output for the IDs in the child domain to be the same as the getent output for IDs in the parent domain?
I have read the man pages and also tried the "use_fully_qualified_names = false" option. It didn't help the child domain IDs
Thanks in advance,
7 years, 6 months