Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
4 years
full_name_format and supplemental groups
by Orion Poplawski
Running IPA with an AD trust. Users are in AD. Trying to use
full_name_format = %1$s to strip the domain from user names. This appears to
break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion(a)ad.nwra.com
uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com)
groups=470202603(orion(a)ad.nwra.com),470200513(domain
users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless
access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder(a)ad.nwra.com),470207608(heimdall
users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas
admins(a)ad.nwra.com)
With:
# id orion(a)ad.nwra.com
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion
uid=470202603(orion) gid=470202603(orion)
groups=470202603(orion),470200512(domain admins),470207608(heimdall
users),470204714(wireless
access),470204715(nwra-users),470204701(boulder),470204703(pirep rd
users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on
to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s
and default_domain_suffix = ad.nwra.com):
# id orion(a)ad.nwra.com
id: orion(a)ad.nwra.com: no such user
# id orion
id: orion: no such user
>From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and
default_domain_suffix):
# id orion
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member]
(0x0400): Error: 2 (No such file or directory)
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex]
(0x0020): Could not add member [orion] to group [name=domain
admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of
"cn=groups,cn=ad.nwra.com,cn=sysdb"
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
7 years, 1 month
netlink messages on Infiniband causing sssd to exit
by Ryan Novosielski
Over time, I’ve been having seemingly random sssd quits that I’ve not been able to figure out. Today, I finally traced it to fluctuations on my Infiniband fabric:
sssd.log
(Tue Nov 3 13:17:59 2015) [sssd] [message_type] (0x0200): netlink Message type: 16
(Tue Nov 3 13:17:59 2015) [sssd] [link_msg_handler] (0x1000): netlink link message: iface idx 4 (ib0) flags 0x1003 (broadcast,multicast,up)
(Tue Nov 3 13:17:59 2015) [sssd] [message_type] (0x0200): netlink Message type: 16
(Tue Nov 3 13:17:59 2015) [sssd] [link_msg_handler] (0x1000): netlink link message: iface idx 4 (ib0) flags 0x11043 (broadcast,multicast,up,running,lower)
This exactly corresponds to the time in /var/log/messages for the unexplained shutdown:
2015-11-03T13:17:59-05:00 node75 sssd[pam]: Shutting down
2015-11-03T13:17:59-05:00 node75 sssd[be[default]]: Shutting down
2015-11-03T13:17:59-05:00 node75 sssd[nss]: Shutting down
Here is sssd_default.log for good measure:
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1414770/0x14133d0
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1414770/0x13fef90
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of default]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sdap_handle_release] (0x2000): Trace: sh[0x14bd850], connected[1], ops[(nil)], ldap[0x1424260], destructor_lock[0], release_memory[0]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1415970/0x1416430
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): The symlink points to [/var/lib/sss/pipes/private/sbus-dp_default.18702]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): The path including our pid is [/var/lib/sss/pipes/private/sbus-dp_default.18702]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): Removed the symlink
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_client_destructor] (0x0400): Removed PAM client
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_client_destructor] (0x0400): Removed NSS client
I can duplicate this by manually taking down the Infiniband link:
[root@node24 ~]# service sssd status
sssd (pid 9132) is running...
[root@node24 ~]# ifdown ib0
[root@node24 ~]# service sssd status
sssd dead but pid file exists
I have also noticed that sssd will not start on boot. As I know that Infiniband tends to flutter a little bit before the link comes up, I’m thinking this is probably the same cause.
Can anyone explain this behavior and tell me what I might do to prevent it?
--
____ *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences*
|| \\UTGERS |---------------------*O*---------------------
||_// Biomedical | Ryan Novosielski - Senior Technologist
|| \\ and Health | novosirj(a)rutgers.edu - 973/972.0922 (2x0922)
|| \\ Sciences | OIRT/High Perf & Res Comp - MSB C630, Newark
`'
7 years, 3 months
Can I make SSSD do additional work with oddjobd?
by Patrice Peterson
Hey list,
is there a way to have SSSD do additional work when creating a home
directory? I am using it in a HPC cluster context and I need to create a
user account in the batch system's database. I had a look at what
oddjobd could do, but from what I could tell, the PAM stack calls
oddjob's com.redhat.oddjob_mkhomedir method over D-Bus.
Apologies if this is the wrong place to ask this question, but I
couldn't quite tell where else to post it.
Best,
Patrice
--
Patrice Peterson
Referent für HPC-Anwendungen
Martin-Luther-Universität Halle-Wittenberg
IT-Servicezentrum, Raum E.09.0
Kurt-Mothes-Straße 1
06120 Halle (Saale)
Telefon: 0345-55 21864
7 years, 9 months
Problem with case sensitivity in Keytab
by Patrice Peterson
Hey list,
I have joined a CentOS 7 host to an AD domain using a fairly new version of adcli (one of the versions that has this [0] bug fixed). In its keytab, this host has a service principal of the form 'host/fqdn@REALM' (i.e. lowercase). User lookups with SSSD don't work, and the SSSD log says "Client 'host/fdqn@REALM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection."
However, if I use the 'old' adcli to join the node and create the keytab, it creates a service principal of the form 'HOST/fqdn@REALM'. With this keytab, I can do username lookups just fine.
Should this be considered a bug? Is there a way to make service principal lookups w/SSSD case insensitive? I would like to keep the lower-case principal names in my keytabs, because OpenSSH GSSAPI auth only works with those.
Thanks for any pointers!
Best,
Patrice
[0] https://bugs.freedesktop.org/show_bug.cgi?id=84749
7 years, 9 months
multiple sudo rules?
by Mote, Todd
Hi all, how does sssd process multiple sudo rules from an OU search base? I have my base pointed at an OU where I have one sudo rule applied, and that works, but have another farther down. I can see in the logs that it sees both rules. What I can't find is how sssd handles that? does it merge the rules? How does it handle conflicts? Does computer object location matter like it does for group policies?
Todd
7 years, 9 months
Re: Empty groups with getent group and sssd [SOLVED]
by Felip Moll
Sorry, I found it.
One time I used authconfig with --enablerfc2307bis, and then I removed the
option from the command line assuming that it would be erased from the
config.
The config still had the rfc2307bis.
Sorry :)
*--Felip Moll Marquès*
Computer Science Engineer
E-Mail - lipixx(a)gmail.com
WebPage - http://lipix.ciutadella.es
2016-02-18 15:44 GMT+01:00 Felip Moll <lipixx(a)gmail.com>:
> Hello,
>
> I configured sssd with authconfig in a Centos 6. My users are shown
> perfectly with getent passwd, and my groups are shown, but empty.
>
> I tried with debug 9 in [nss] section in sssd.conf but I found nothing
> relevant.
>
> Also cleared cache (sss_cache -E), turned on/off enumerate, etc. Any
> advice on what to look for?
>
>
> Fragment of sssd_nss.log:
> -----------------------------------
> ...
> (Thu Feb 18 15:21:12 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000):
> Checking negative cache for [NCE/GROUP/default/usertest]
> (Thu Feb 18 15:21:12 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000):
> Checking negative cache for [NCE/GROUP/default/devel]
> ....
>
>
> rfc2307 LDAP setup - ldapsearch:
> ------------------------------------------
> # devel, Groups, test.cat
> dn: cn=devel,ou=Groups,dc=test,dc=cat
> objectClass: posixGroup
> description: Devel staff
> gidNumber: 40003
> cn: devel
> memberUid: user1
> memberUid: user2
>
> authconfig line:
> --------------------
> authconfig --enablelocauthorize --enablecachecreds --enableldap
> --enableldapauth --ldapserver=ldap://head1 --ldapbasedn="dc=test,dc=cat"
> --enableldaptls --enableldapstarttls --updateall
>
> getent group:
> ------------------
> .....
> usertest:*:40004:
> devel:*:40003:
> .....
>
>
>
>
> Thank you very much.
> Felip M
>
>
> *--Felip Moll Marquès*
> Computer Science Engineer
> E-Mail - lipixx(a)gmail.com
> WebPage - http://lipix.ciutadella.es
>
7 years, 9 months
Empty groups with getent group and sssd
by Felip Moll
Hello,
I configured sssd with authconfig in a Centos 6. My users are shown
perfectly with getent passwd, and my groups are shown, but empty.
I tried with debug 9 in [nss] section in sssd.conf but I found nothing
relevant.
Also cleared cache (sss_cache -E), turned on/off enumerate, etc. Any advice
on what to look for?
Fragment of sssd_nss.log:
-----------------------------------
...
(Thu Feb 18 15:21:12 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/GROUP/default/usertest]
(Thu Feb 18 15:21:12 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/GROUP/default/devel]
....
rfc2307 LDAP setup - ldapsearch:
------------------------------------------
# devel, Groups, test.cat
dn: cn=devel,ou=Groups,dc=test,dc=cat
objectClass: posixGroup
description: Devel staff
gidNumber: 40003
cn: devel
memberUid: user1
memberUid: user2
authconfig line:
--------------------
authconfig --enablelocauthorize --enablecachecreds --enableldap
--enableldapauth --ldapserver=ldap://head1 --ldapbasedn="dc=test,dc=cat"
--enableldaptls --enableldapstarttls --updateall
getent group:
------------------
.....
usertest:*:40004:
devel:*:40003:
.....
Thank you very much.
Felip M
*--Felip Moll Marquès*
Computer Science Engineer
E-Mail - lipixx(a)gmail.com
WebPage - http://lipix.ciutadella.es
7 years, 9 months
Announcing SSSD 1.11.8
by Jakub Hrozek
=== SSSD 1.11.8 ===
The SSSD team is proud to announce the release of version 1.11.8 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses on backporting bug fixes from the 1.12 and 1.13
releases. At the moment, the SSSD upstream does not plan on releasing
1.11.9, barring security issues or regressions in this release. We
recommend that all users of 1.11 upgrade to 1.12 or 1.13.
* Several bugs related to using id_provider=ldap together with ID mapping
enabled were fixed
* Fixed a potential use-after-free error in the nested groups resolution code
* The service restart code in the main "sssd" process was improved
* The PAC responder can be built with MIT Kerberos versions 1.13 and 1.14
* A potential segfault in the memberof ldb plugin was fixed
* The LDAP child no longer leaves a stray temporary file behind in case
acquiring the credentials fails
* The sudo responder works correctly even for users or groups whose name
contains an LDAP special character such as )
* The autofs responder now works even with setups that enable the
default_domain_suffix option
* A memory leak in the NSS responder when a non-existing netgroup was
requested is fixed in this release
* The SSSD no longer leaks a file descriptor if service discovery times
out when discovering an LDAP server
* The sudo responder fixed the logic to sort entries with the sudoOrder
attribute to match the sudo's native LDAP code
== Documentation Changes ==
* The ldap_use_tokengroups option defaults to false in the generic LDAP
provider. Previously, both the AD and LDAP provider (with ldap_schema
set to ad) attempted to use the tokenGroups, resulting in numerous bugs.
== Tickets Fixed ==
* https://fedorahosted.org/sssd/ticket/2412
Error processing universal groups with cross-domain membership in
SSSD server mode
* https://fedorahosted.org/sssd/ticket/2471
RHEL6.6 sssd (1.11) fails if IPA permissions and roles have the
same name
* https://fedorahosted.org/sssd/ticket/2484
Password change over ssh doesn't work with OTP and FreeIPA
* https://fedorahosted.org/sssd/ticket/2448
MAN: If ldap_group_base is set, tokengroups might not be able to
convert all GIDs to names
* https://fedorahosted.org/sssd/ticket/2445
Race condition while invalidating memory cache in client code
* https://fedorahosted.org/sssd/ticket/2492
Group membership gets lost in IPA server mode
* https://fedorahosted.org/sssd/ticket/2573
Use after free in proxy provider.
* https://fedorahosted.org/sssd/ticket/2611
sssd_be dumping core if enumeration times out
* https://fedorahosted.org/sssd/ticket/2525
Monitor SIGKILL timer issue and service restart failure
* https://fedorahosted.org/sssd/ticket/2572
[abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT
* https://fedorahosted.org/sssd/ticket/2430
sssd segfaults repeatedly with error 4 in memberof.so
* https://fedorahosted.org/sssd/ticket/1096
Clock skew in krb5 auth should result in offline operation, not failure
* https://fedorahosted.org/sssd/ticket/2592
ccname_file_dummy is not unlinked on error
* https://fedorahosted.org/sssd/ticket/2613
sysdb sudo search doesn't escape special characters
* https://fedorahosted.org/sssd/ticket/2625
Sudo responder does not respect filter_users and filter_groups
* https://fedorahosted.org/sssd/ticket/2643
autofs provider fails when default_domain_suffix and
use_fully_qualified_names set
* https://fedorahosted.org/sssd/ticket/2634
sssd nss responder gets wrong number of secondary groups
* https://fedorahosted.org/sssd/ticket/2644
ignore_group_members doesn't work for subdomains
* https://fedorahosted.org/sssd/ticket/2659
IPA enumeration provider crashes
* https://fedorahosted.org/sssd/ticket/2663
id lookup for non-root domain users doesn't return all groups on
first attempt
* https://fedorahosted.org/sssd/ticket/2681
SSSD cache is not updated after user is deleted from ldap server
* https://fedorahosted.org/sssd/ticket/2744
cleanup_groups should sanitize dn of groups
* https://fedorahosted.org/sssd/ticket/2800
Relax POSIX check
* https://fedorahosted.org/sssd/ticket/2803
Memory leak / possible DoS with krb auth.
* https://fedorahosted.org/sssd/ticket/2792
SSSD is not closing sockets properly
* https://fedorahosted.org/sssd/ticket/2888
SRV lookups with id_provider=proxy and auth_provider=krb5
* https://fedorahosted.org/sssd/ticket/2865
sssd_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86_64
(RHEL6.7) when trying to retrieve non-existing netgroups
* https://fedorahosted.org/sssd/ticket/2682
sudoOrder not honored as expected
== Detailed Changelog ==
Adam Tkac (1):
* Option filter_users had no effect for retrieving sudo rules
Aron Parsons (1):
* autofs: fix 'Cannot allocate memory' with FQDNs
Dan Lavu (1):
* MAN: page edit for ldap_use_tokengroups
Daniel Hjorth (1):
* LDAP: unlink ccname_file_dummy if there is an error
Jakub Hrozek (8):
* Updating the version for the 1.11.8 development
* IPA: Use GC for group lookups in server mode
* LDAP: Do not clobber return value when multiple controls are returned
* PAC: krb5_pac_verify failures should not be fatal
* LDAP: return after tevent_req_error
* KRB5: Go offline in case of clock skew
* Download complete groups if ignore_group_members is set with tokengroups
* DP: Set extra_value to NULL for enum requests
Jan Engelhardt (1):
* build: call AC_BUILD_AUX_DIR before anything else
Lukas Slebodnik (16):
* Revert "LDAP: Change defaults for ldap_user/group_objectsid"
* LDAP: Disable token groups by default
* sss_client: Extract destroying of mmap cache to function
* sss_client: Fix race condition in memory cache
* PROXY: Fix use after free
* pysss_nss_idmap: Use wrapper for older python
* MONITOR: Fix double free
* TEST: Test empty results from functions sysdb_search_*
* SDAP: Do not set gid 0 twice
* nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE
* SDAP: Set initgroups expire attribute at the end
* SDAP: Remove user from cache for missing user in LDAP
* LDAP: Sanitize group dn before using in filter
* LDAP: Fix leak of file descriptors
* BUILD: Accept krb5 1.14 for building the PAC plugin
* BUILD: Fix linking issues on debian
Michal Zidek (1):
* LDAP: Change defaults for ldap_user/group_objectsid
Nalin Dahyabhai (1):
* Accept krb5 1.13 for building the PAC plugin
Nikolai Kondrashov (1):
* build: Don't install ad and ipa man pages unnecessarily
Pavel Březina (4):
* IPA: use ipaUserGroup object class for groups
* enumeration: fix talloc context
* sudo: sanitize filter values
* sudo: use "higher value wins" when ordering rules
Pavel Reichl (14):
* LDAP: retain external members
* SDAP: return after tevent_req_error
* sudo: return after tevent_req_error
* monitor: use-after-free bugfix
* monitor: monitor_kill_service - refactor
* monitor: memory-leak bug
* SYSDB: sysdb_search_entry fix memory leak
* SYSDB: sysdb_search_custom fix memory leak
* TESTS: sysdb_search_return_ENOENT - check mem leaks
* SDAP: Relax POSIX check
* NSS: sysdb_getnetgr check return value first
* NSS: sysdb_getnetgr refactor
* NSS: fix memory leak in sysdb_getnetgr
* NSS: Fix memory leak netgroup
Petr Cech (1):
* KRB5: Adding DNS SRV lookup for krb5 provider
Simo Sorce (1):
* Signals: Remove unused functions
Stephen Gallagher (2):
* monitor: Service restart fixes
* UTIL: Do not change SSSD domains in get_domains_head
Sumit Bose (2):
* memberof: check for empty arrays to avoid segfaults
* ldap: use proper sysdb name in groups_by_user_done()
Thomas Oulevey (1):
* Fix memory leak in sssdpac_verify()
7 years, 9 months
sssd, openldap, tls, multiple servers?
by Kevin Martin
I currently have a working openldap/tls/sssd setup with one ldap server. I'm using self signed server side and client side certificates and the CA for the certificates happens to live on the openldap server. This is, obviously, fraught with peril if the openldap server dies! So, I've setup a second server as a replica server and I want to be able to have my sssd clients failover to the replica if the primary goes away. Thus far, my testing has been unsuccessful. I've cut a server cert for the new server but when I try to use the secondary server as the authorized ldap server I get errors like:
additional info: TLS: hostname does not match CN in peer certificate
With my working setup I specify the ldap_tls_cacert, ldap_tls_cert, and ldap_tls_key in my sssd.conf, in my ldap.conf, and in my .ldaprc and authentication works and ldapsearch works (with starttls). If I change my ldap_tls_cert and key stuff to point to my 2nd server keys, everything fails. I'm not sure how to get this working. Ultimately, I'm going to have 4 total ldap servers, 2 each in disparate regions of the country, one of which is the "master" and the 3 others replicas. Any and all help appreciated as I'm very confused at this point.
Thanks.
Kevin Martin
7 years, 10 months
