sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
1 year, 7 months
Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
3 years, 10 months
'no primary group ID provided' when trying to use ldap mode against AD
by Daniel Hermans
Hi,
i'd like to use sssd in ldap mode against Active Directory so I have defined:
id_provider = ldap
auth_provider = ldap
Yes krb5 would be better but i only have a BIND account and cannot add computer objects.
This 'should' be possible - it works with nslcd. As I don't have Posix attributes i'm using:
ldap_id_mapping = true
fallback_homedir = /home/%d/%u
default_shell = /bin/bash
sssd can bind with LDAPS and can seem to get user info from the domain:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Some User,OU=Admin Accounts,DC=dev,DC=somedomain,DC=com].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_result] (0x2000): Trace: sh[0x7f5d15fbc030], connected[1], ops[0x7f5d1639d140], ldap[0x7f5d15fb5cd0]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_op_destructor] (0x2000): Operation 3 finished
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users
The UID mapping seems to succeed:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Save user
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x4000): Failed to retrieve UUID [2][No such file or directory].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_primary_name] (0x0400): Processing object someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Processing user someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x1000): Mapping user [someuser] objectSID [S-1-5-21-3970895924-989261097-3267629119-1443] to unix ID
But it gets no further with this message:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_idmap_primary_gid] (0x0080): no primary group ID provided
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Cannot get the GID for [someuser] in domain [extdev].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Failed to save user [someuser]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
Have tried against two different domains with identical result ( one a cleanly installed 2012R2 domain ).
Any ideas what I'm doing wrong? Is this possible? Various (old) posts suggests it is.
This was first (incorrectly) posted to sssd-devel, Jakub Hrozek updated and told me to define ldap_idmap_default_domain_sid so sssd no longer reports this:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
Thanks in advance!!
6 years, 5 months
sssd-ad Clarifications
by Lesley Kimmel
Hi, all. Thanks in advance for you help.
I am working to integrate some RHEL7 servers to AD. In doing so it seems
clear that SSSD is the way to go. However, it looks like there are
basically (2) options:
1) use sssd-ad (id_provider=ad, access_provider=ad)
2) Use explicit LDAP and Kerberos providers
I would prefer to use the sssd-ad method because it is obviously simpler.
However, I am unclear what security is provided therein. Obviously,
Kerberos is pretty secure for authentication. However, when groups, etc.,
are retrieved from LDAP is that done over SSL/TLS? It is implied that using
the sssd-ad method is essentially a shorthand for other LDAP/Kerberos
settings and I can't find a complete listing of what those settings are.
If I configure the server to enforce STARTTLS is SSSD "smart enough" to
work with that if I use sssd-ad or would I need to go the LDAP+Kerberos
route in order to configure some of the TLS-related settings?
Thanks again,
-LJK
6 years, 8 months
SSSD ad authentication windows server 2012 R2
by xenioz@gmail.com
I want to login with AD users on a client with no gui. It is a Ubuntu 16.04 machine with SSSD. Active Directory server is Windows Server 2012 R2. I cannot login on console login with "aduser(a)srv.local" or "aduser\srv.local" neither "su aduser" works however I can kinit and successfully get a ticket and adding the machine to the domain also works.
I followed this tutorial: https://help.ubuntu.com/lts/serverguide/sssd-ad.html
I'm not sure if PAM is configured correctly or that ticket is not created at boot time or that keytabs are correct.
The SSSD version is: 1.13.4-1ubuntu1.1
The version of libpam-modules is: 1.1.8-3.2ubuntu2
What I have did:
==============
root@srv2:~# sudo kinit Administrator
Password for Administrator(a)SRV.LOCAL:
root@srv2:~# sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator(a)SRV.LOCAL
Valid starting Expires Service principal
12/29/2016 07:27:28 12/29/2016 17:27:28 krbtgt/SRV.LOCAL(a)SRV.LOCAL
renew until 01/05/2017 07:27:27
Join domain:
root@srv2:~# net ads join -k
Using short domain name -- SRV
Joined 'SRV2' to dns domain 'srv.local'
After configuration and join to domain I rebooted the computer I created a test user in active directory named linux. I tried su linux to change to that user but it hasn't been added in the passwd
Getent passwd:
root@srv2:~# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
mark:x:1000:1000:mark,,,:/home/mark:/bin/bash
ntp:x:111:117::/home/ntp:/bin/false
sssd:x:112:118:SSSD system user,,,:/var/lib/sss:/bin/false
wbinfo query information:
root@srv2:~# wbinfo -t
checking the trust secret for domain SRV via RPC calls succeeded
wbinfo -u -g:
root@srv2:~# wbinfo -u -g
SRV\administrator
SRV\guest
SRV\krbtgt
SRV\mark
SRV\test1
SRV\linux
SRV\winrmremotewmiusers__
SRV\domain computers
SRV\domain controllers
SRV\schema admins
SRV\enterprise admins
SRV\cert publishers
SRV\domain admins
SRV\domain users
SRV\domain guests
SRV\group policy creator owners
SRV\ras and ias servers
SRV\allowed rodc password replication group
SRV\denied rodc password replication group
SRV\read-only domain controllers
SRV\enterprise read-only domain controllers
SRV\cloneable domain controllers
SRV\protected users
SRV\dnsadmins
SRV\dnsupdateproxy
SRV\dhcp users
SRV\dhcp administrators
ldapsearch with GSSAPI shows error with keytabs:
root@srv2:~# /usr/bin/ldapsearch -H ldap://srv.local -Y GSSAPI -N -b "dc=src,dc=local" "(&(objectClass=user)(sAMAccountName=ad
user))"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)
/var/log/sssd/ldap_child.log:
(Thu Dec 29 07:27:40 2016) [[sssd[ldap_child[33841]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthe
ntication fail
/var/log/auth.log:
Dec 29 20:03:59 srv2 login[1344]: pam_unix(login:auth): check pass; user unknown
Dec 29 20:03:59 srv2 login[1344]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser$Dec 29 20:04:24 srv2 sssd_be: GSSAPI client step 1
Dec 29 20:04:24 srv2 sssd_be: GSSAPI client step 1
Dec 29 20:04:24 srv2 sssd_be: GSSAPI client step 1
Dec 29 20:04:24 srv2 sssd_be: GSSAPI client step 1
I used tcpdump to filter ldap, dns and krb5 ports. The capture can be viewed here: http://www.filedropper.com/ldap-sssd
Errors that occurred are:
67 0.112875 192.168.253.200 192.168.253.100 DNS 151 Standard query response 0xe2ee No such name SRV _kerberos-master._tcp.SRV.LOCAL SOA dc1.srv.local
I have read that the error below can safely be ignored:
31 0.094884 192.168.253.200 192.168.253.100 KRB5 231 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
Configuration files:
==============
/etc/hosts:
127.0.0.1 localhost
192.168.253.100 srv2.srv.local srv2
# The following lines are desirable for IPv6 capable hosts
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
/etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.253.200
search srv.local
/etc/krb5.conf:
[libdefaults]
default_realm = SRV.LOCAL
renew_lifetime = 7d
ticket_lifetime = 24h
dns_lookup_realm = true
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
SRV.LOCAL = {
kdc = srv.local
admin_server = srv.local
default_domain = srv.local
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.srv.local = dc1.srv.local
srv.local = dc1.srv.local
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
default = FILE:/var/log/krb5libs.log
permissions sssd.conf
drw------- 2 root root 4096 Dec 29 08:37 .
drwxr-xr-x 96 root root 4096 Dec 29 08:34 ..
-rw------- 1 root root 696 Dec 29 08:30 sssd.conf
/etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = SRV.LOCAL
#default_domain_suffix = SRV.LOCAL
[domain/SRV.LOCAL]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%d/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = srv2.srv.local
# Uncomment if DNS SRV resolution is not working
# ad_server = dc1.srv.local
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = SRV.LOCAL
# Enumeration is discouraged for performance reasons.
# enumerate = true
/etc/samba/smb.conf:
[global]
workgroup = SRV
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = SRV.LOCAL
security = ads
/etc/nsswitch.conf:
passwd: compat sss
shadow: compat
group: compat sss
gshadow: files
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: nis sss
publickey: files
automount: files
aliases: files
sudoers: files sss
/etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
/etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password sufficient pam_sss.so use_authtok
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
6 years, 9 months
sssl-ldap Requirements
by Lesley Kimmel
All;
I was recently looking at the man page for sssd-ldap and saw that several
of the options default to the 'openldap defaults'.
Based on this I was wondering:
1) Is there any requirement of SSSD on openldap client tools?
2) If openldap is NOT required will SSSD still use what would be the
openldap values or is it required to have the ldap.conf file present to
obtain these values?
3) If not #2 are there other defaults that SSSD uses or must we provide
values when we don't have ldap.conf in place?
Thanks,
-LJK
6 years, 9 months
sssd + samba valid users
by jsl6uy js16uy
Hello all, hope all is well/happy holidays
Checked on the samba list and they directed me here.....
My issue is valid users in smb.conf containing an AD group
I have tried this on systems running cent7u2 and ubuntu trusty. These systems are running sssd. I can login with AD users and chown/chgrp file with AD groups. However, I can't get AD groups to work with valid users in the smb.conf for restricting share access. If I just set individual AD users, works just fine.
Also locally everything works as expected. For example I can chown a folder to be owned by an AD group with 2770. I can login into the host via passwd/kerberos ticket and chdir into that directly without issue, below the user in question is part of MC-Services, apologies not trying to be overly obvious.
drwxrwsr-x 3 appadmin MC-Services 4096 Dec 15 14:47 logs
Again singly listed AD users work with valid users. This kind of abstraction is nice so I don't have to tweak FS perms to "match" shared out access. Right now with the local FS perms above I can get into the share If I have the share setup as below
[logs]
comment = Server Logs
path = /logs
writable = no
valid users = jsmith
printable = no
So seems samba can handle the users, but not AD groups or can't get the info/membership for the AD groups. If I change the owner of the dir to be completely owned by appadmin, the testing user can no longer get into the share, make sense.
Any thoughts/help would be greatly appreciated.
thanks and regards
some info on samba vers on the centos host
samba-common-4.2.3-12.el7_2.noarch
samba-common-tools-4.2.3-12.el7_2.x86_64
samba-common-libs-4.2.3-12.el7_2.x86_64
samba-4.2.3-12.el7_2.x86_64
samba-libs-4.2.3-12.el7_2.x86_64
samba-client-libs-4.2.3-12.el7_2.x86_64
[root@Xsamba]# smbd -V
Version 4.2.3
>>>Here is the SAMBA config
[global]
workgroup = mc
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
security = ads
bind interfaces only = yes
interfaces=192.168.99.0/24
dedicated keytab file=/etc/krb5.keytab
password server = 192.168.1.2 192.168.1.3
realm = MC.FOO.COM
passdb backend = tdbsam
map to guest = Bad Uid
[homes]
comment = Home Directories
browseable = no
writable = yes
[logs]
comment = Server Logs
path = /logs
writable = no
#valid users = jsmith
valid users = @"MC\MC-Services"
printable = no
6 years, 9 months
Re: Avoid (&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))
by Maninder Singh
Hi,
Please find the below sssd.conf. We are seeing below in LDAP logs:
SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(uid=gdm)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
conn=3410 op=2 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey mail
We just need filter (objectClass=*) instead of the highlighted one. Also, we have created extra attributes which we are not able to see in SRCH attr. Please help.
[sssd]
config_file_version = 2
domains = default
services = nss, pam, autofs
[domain/default]
debug_level = 9
id_provider = ldap
krb5_realm = #
ldap_schema = rfc2307bis
ldap_uri = ldap://x.y.z:389
ldap_search_base = dc=mydomain,dc=com?base?|(objectClass=*)
cache_credentials = True
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_default_bind_dn = cn=Manager,dc=mydomain,dc=com
ldap_default_authtok =xyz
access_provider = ldap
enumerate = True
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://x.y.z:389
ldap_search_base = dc=mydomain,dc=com
cache_credentials = true
min_id = 5000
max_id = 25000
enumerate = false
[nss]
[pam]
[autofs]
Regards,
Maninder
Need an easy-to-use, OS agnostic, platform independent Test Automation Framework to increase ROI from your applications? Check UTAF (Unified Test Automation Framework) <https://hsc.com/Services/Testing-Services/Test-Automation/Unified-Test-Au...> by HSC
DISCLAIMER: This electronic message and all of its contents, contains information which is privileged, confidential or otherwise protected from disclosure. The information contained in this electronic mail transmission is intended for use only by the individual or entity to which it is addressed. If you are not the intended recipient or may have received this electronic mail transmission in error, please notify the sender immediately and delete / destroy all copies of this electronic mail transmission without disclosing, copying, distributing, forwarding, printing or retaining any part of it. Hughes Systique accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus.
6 years, 9 months
logging into machine with AD credentials for the first time
by Thomas Beaudry
Hi Everyone,
i have been able to get sssd to work so i can login with my AD credentials to a workstation and through ssh, however I am running into a problem. Whenever a new user tries to login to a ubuntu workstation for the first time it doesn't allow them. I am guessing the login screen doesn't contact the windows AD to check credentials (so maybe sssd hasn't been started yet). I currently have sssd managing the following services: pam, ssh, autofs, and nss. The workaround that I have found is to ssh to that machine from another machine with the AD credentials that I would like to use, and then when I reset the machine i am able to use those credentials at the login screen. Is there a better way?
Thanks,
Thomas
6 years, 9 months
The dreaded: 4 (System error) with SSH
by Omen Wild
A small group of us have been trying to get our Ubuntu hosts fully
integrated into AD using sssd. We have slowly chipped away at the
issues. We believe we are left with one major issue, when we try to
login with SSH we get 4: (System error).
The host is Ubuntu 16.04.1, up to date as of today, so sssd
1.13.4-1ubuntu1. All PAM files are the defaults.
We used the `realm` command to join AD:
realm -v join tou.t3.ucdavis.edu -U MyAdminAccount(a)TOU.T3.UCDAVIS.EDU
Our AD is set up with TOU.T3.UCDAVIS.EDU as a child domain in the same
forest as the parent domain, T3.UCDAVIS.EDU, with users in
T3.UCDAVIS.EDU and computers and groups in TOU.T3.UCDAVIS.EDU.
All sssd logs (debug_level = 9) and config files are here:
https://descolada.ucdavis.edu/415bfd2c-b0fa-11e6-97b8-3417ebb1df52/
The timing that generated those log files:
13:02: Clear logs, restart sssd
13:03: id omen
13:04: ssh omen@ (correct password, 4 (System error))
In /var/log/auth.log:
Nov 22 13:04:41 phys-adtest sshd[29803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=169.237.42.193 user=omen
Nov 22 13:04:42 phys-adtest sshd[29803]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=169.237.42.193 user=omen
Nov 22 13:04:42 phys-adtest sshd[29803]: pam_sss(sshd:auth): received for user omen: 4 (System error)
Nov 22 13:04:43 phys-adtest sshd[29803]: Failed password for omen from 169.237.42.193 port 42414 ssh2: RSA SHA256:FJYFiUaVTKvx6cL9QG07WURCN/hqRLMZ1WvZCSJXN/g
13:05: ssh omen@ (incorrect password)
In /var/log/auth.log:
Nov 22 13:05:34 phys-adtest sshd[29823]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=169.237.42.193 user=omen
Nov 22 13:05:34 phys-adtest sshd[29823]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=169.237.42.193 user=omen
Nov 22 13:05:34 phys-adtest sshd[29823]: pam_sss(sshd:auth): received for user omen: 17 (Failure setting user credentials)
Nov 22 13:05:37 phys-adtest sshd[29823]: Failed password for omen from 169.237.42.193 port 42434 ssh2: RSA SHA256:FJYFiUaVTKvx6cL9QG07WURCN/hqRLMZ1WvZCSJXN/g
Nov 22 13:05:38 phys-adtest sshd[29823]: Connection closed by 169.237.42.193 port 42434 [preauth]
13:06: systemctl stop sssd
Thanks!
Omen
--
Omen Wild
Systems Administrator
Metro Cluster
6 years, 9 months
