Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
4 years
full_name_format and supplemental groups
by Orion Poplawski
Running IPA with an AD trust. Users are in AD. Trying to use
full_name_format = %1$s to strip the domain from user names. This appears to
break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion(a)ad.nwra.com
uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com)
groups=470202603(orion(a)ad.nwra.com),470200513(domain
users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless
access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder(a)ad.nwra.com),470207608(heimdall
users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas
admins(a)ad.nwra.com)
With:
# id orion(a)ad.nwra.com
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion
uid=470202603(orion) gid=470202603(orion)
groups=470202603(orion),470200512(domain admins),470207608(heimdall
users),470204714(wireless
access),470204715(nwra-users),470204701(boulder),470204703(pirep rd
users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on
to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s
and default_domain_suffix = ad.nwra.com):
# id orion(a)ad.nwra.com
id: orion(a)ad.nwra.com: no such user
# id orion
id: orion: no such user
>From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and
default_domain_suffix):
# id orion
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member]
(0x0400): Error: 2 (No such file or directory)
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex]
(0x0020): Could not add member [orion] to group [name=domain
admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of
"cn=groups,cn=ad.nwra.com,cn=sysdb"
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
7 years, 1 month
netlink messages on Infiniband causing sssd to exit
by Ryan Novosielski
Over time, I’ve been having seemingly random sssd quits that I’ve not been able to figure out. Today, I finally traced it to fluctuations on my Infiniband fabric:
sssd.log
(Tue Nov 3 13:17:59 2015) [sssd] [message_type] (0x0200): netlink Message type: 16
(Tue Nov 3 13:17:59 2015) [sssd] [link_msg_handler] (0x1000): netlink link message: iface idx 4 (ib0) flags 0x1003 (broadcast,multicast,up)
(Tue Nov 3 13:17:59 2015) [sssd] [message_type] (0x0200): netlink Message type: 16
(Tue Nov 3 13:17:59 2015) [sssd] [link_msg_handler] (0x1000): netlink link message: iface idx 4 (ib0) flags 0x11043 (broadcast,multicast,up,running,lower)
This exactly corresponds to the time in /var/log/messages for the unexplained shutdown:
2015-11-03T13:17:59-05:00 node75 sssd[pam]: Shutting down
2015-11-03T13:17:59-05:00 node75 sssd[be[default]]: Shutting down
2015-11-03T13:17:59-05:00 node75 sssd[nss]: Shutting down
Here is sssd_default.log for good measure:
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1414770/0x14133d0
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1414770/0x13fef90
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of default]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sdap_handle_release] (0x2000): Trace: sh[0x14bd850], connected[1], ops[(nil)], ldap[0x1424260], destructor_lock[0], release_memory[0]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1415970/0x1416430
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): The symlink points to [/var/lib/sss/pipes/private/sbus-dp_default.18702]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): The path including our pid is [/var/lib/sss/pipes/private/sbus-dp_default.18702]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): Removed the symlink
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_client_destructor] (0x0400): Removed PAM client
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_client_destructor] (0x0400): Removed NSS client
I can duplicate this by manually taking down the Infiniband link:
[root@node24 ~]# service sssd status
sssd (pid 9132) is running...
[root@node24 ~]# ifdown ib0
[root@node24 ~]# service sssd status
sssd dead but pid file exists
I have also noticed that sssd will not start on boot. As I know that Infiniband tends to flutter a little bit before the link comes up, I’m thinking this is probably the same cause.
Can anyone explain this behavior and tell me what I might do to prevent it?
--
____ *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences*
|| \\UTGERS |---------------------*O*---------------------
||_// Biomedical | Ryan Novosielski - Senior Technologist
|| \\ and Health | novosirj(a)rutgers.edu - 973/972.0922 (2x0922)
|| \\ Sciences | OIRT/High Perf & Res Comp - MSB C630, Newark
`'
7 years, 3 months
Announcing SSSD 1.14 Beta
by Jakub Hrozek
== SSSD 1.14 Beta ===
The SSSD team is proud to announce the release of version 1.14 Beta of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* SSSD's cache performance was improved. SSSD now stores operational
attributes of cache entries to a separate database with asynchronous
writes mode, which results in substantially faster cache update times in
most cases. Note that the performance of the initial cache write with an
empty cache does not improve, only subsequent updates.
* SSSD is able to merge configuration file snippets from an include
directory. This functionality requires the latest libini release 1.3.0.
* The GPO evaluator is able to skip malformed INI files. This feature is
also only available with libini release 1.3.0 or newer.
* A new command line tool, called sssctl was added. This tool allows the
administrator to observe the status of SSSD. In this version, the tool
is able to:
* list SSSD domains and subdomains, including their online and
offline status
* print information about objects stored in the cache
* backup or remove the local databases
* help truncate SSSD logs
* SSSD is able to validate configuration files against a built-in
schema. To retain backwards-compatibility with configuration files that
would otherwise not validate, the validator only warns about errors in
the config file in this version.
* An ID-mapping plugin for the winbind deamon was added. With this plugin,
it's possible for winbind to use the same ID-mapping scheme as SSSD uses,
producing consistent ID values
* A new "secrets" responder was added. This responder allows an application
to communicate with SSSD over a UNIX socket using the Custodia API. SSSD
then stores the secrets either in its local database or proxies them to
a remote Custodia server.
== Packaging Changes ==
* SSSD stores ephemeral attributes in a new ldb database called
timestamps_$domain.ldb stored in the same directory as the regular caches.
* The winbind ID-mapping plugin is packages in its own subpackage called
winbind-idmap
* The SSSD configuration snippets are being read from a newly-owned
directory /etc/sssd/conf.d.
* SSSD ships a file with rules for the configuration validator. In Fedora,
this file is located at /var/lib/sss/cfg_rules.ini
== Tickets Fixed ==
#385
[RFE] Provide a Method to Display SSSD Status Information
#1662
[RFE] Provide a force reload utility
#1800
[RFE] create a generic sssdctl utility
#1937
[RFE] Improve LDAP error logging
#2028
sssd does not detail which line in configuration is invalid
#2166
[RFE] SSSD cache database reporting
#2247
[RFE] SSSD should be able to merge configuration from multiple files
#2466
[RFE] Method for setting custom shells without Unix Attributes in AD account
#2602
Optimize cache writes to sysdb
#2671
RFE: sss_cache: Add an option to rm the database files
#2735
Document best practices from security standpoint for OpenScap team
#2751
SSSD can't process GPO from Active Directory when it contains lines with no equal sign
#2913
Add a Secrets as a Service component
#2918
Make cli_ctx more generic
#2921
Replace the monitor ping with an in-process heartbeat
#2957
Extend interface between DP and IFP
#3070
Add infrastructure for socket-activated responders
== Detailed Changelog ==
Christian Heimes (1):
* Secrets: m4 macros for jansson and http-parser
Jakub Hrozek (19):
* Updating the version for the 1.14 beta release
* SYSDB: Move sysdb initialization into a new module sysdb_init.c
* UTIL: Add error codes for sysdb too old or too new
* SYSDB: Refactor database connection
* SYSDB: Add a second, timestamp-only ldb cache
* SYSDB: Open a timestamps cache for caching domains
* SYSDB: Wrap sysdb_store_group in a transaction and split it into smaller functions
* SYSDB: Search the timestamp caches in addition to the sysdb cache
* SYSDB: If modifyTimestamp is the same, only update the TS cache
* SYSDB: Check if group attributes differ before saving a group
* SYSDB: Refactor sysdb_store_user
* SYSDB: Only update user attributes if needed
* TESTS: Add a unit test for timestamps caches
* TESTS: Add an integration test for the timestamps cache
* LDAP: Shortcut looking up for group members sooner
* Contrib: Add a gdbinit file
* BUILD: Fall back to non-strict http parser, if strict is not available
* MAN: Include idmap_sss.8.xml in the manpage sources
* Updating the translations for the 1.14 beta release
Lukas Slebodnik (6):
* Prepare ini schema with rules for validation
* UTIL: Fix debug message in sssd_async_connect_done
* UTIL: Revent connection handling in sssd_async_connect_send
* Downcast to errno_t after tevent_req_is_error
* BUILD: Fix detection of systemd
* BUILD: Detect libsystemd-daemon or libsystemd
Michal Židek (3):
* GPO: ignore non-KVP lines if possible
* confdb: Make it possible to use config snippets
* confdb: Check for config file errors on sssd startup
Pavel Březina (25):
* IFP: Add domain nodes
* IFP: new header file that contains interface definitions
* sss_sifp: make it compatible with latest version of the infopipe
* sss_sifp: return context even on IO error
* sss_sifp: bump version to 1:0:1
* sss_tools: add command description
* sss_tools: add help commands to usage message
* sss_tools: unify description of --debug
* sss_tools: tell whether an option was provided
* sss_tools: add commands delimiter
* sss_tools: pad help message properly
* sss_tools: return errno_t instead of system code
* sss_tools: add test if sssd is running
* sss_tools: create confdb if not exist
* sss_override: return EXIT_SUCCESS even when no overrides are found
* sss_override: return EXIT_FAILURE if file does not exist during import
* ERRORS: Add errors to indicated whether SSSD is running or not
* SBUS ERRORS: Add unknown domain
* SBUS: Fix typo in comment
* SBUS: Add string helper macros
* DP: Add function to get be_ctx directly from dp_client
* DP: Add org.freedesktop.sssd.DataProvider?.Backend
* DP: Add org.freedesktop.sssd.DataProvider?.Failover
* IFP: Provide domain and failover status
* sssctl: new tool
Simo Sorce (14):
* Util: Add watchdog helper
* Server: Enable Watchdog in all daemons
* Monitor: Remove ping infrastructure
* Responders: Make the client context more generic
* Responders: Add support for socket activation
* ConfDB: Add helper function to get "subsections"
* Secrets: Add autoconf macros to build with secrets
* Secrets: Add initial responder code for secrets service
* Add initial providers infrastructure.
* Secrets: Add encryption at rest
* Secrets: Add Proxy backend
* Local secrets provider Content-Type handling
* Secrets: Add local container entries support
* Monitor: Add mode to generate confdb only
Sumit Bose (1):
* Add winbind idmap plugin
7 years, 5 months
migrating sssd from Edirectory to AD uid's and gid's for existing users..
by Mike Andrewjeski
Hi, We've a working sssd configuration that uses Edirectory. We are planning to move to AD from Edirectory and I'm looking for advice on how to handle the existing users uid's Edirectory. We don't really want to script chown commands for every user unless there isn't another option. Currently in Edirectory our uids begin at ~1050000 and end at ~1055000, so seven digits. I'm not certain that I can match the uid's using
ldap_id_mapping. Any ideas?
7 years, 5 months
Announcing ding-libs 0.6.0
by Jakub Hrozek
A new version of ding-libs was released today!
ding-libs, or "Ding is not GLib" is a a set of helpful libraries used by
projects such as SSSD or gss-proxy.
The tarball can be downloaded from:
https://fedorahosted.org/sssd/wiki/Releases
== Highlights ==
* libini_config
* libini now supports validators that check for well-formed INI
files. Please see the Doxygen documentation for more details on using
the new functions. The new functions include:
* ini_rules_read_from_file
* ini_rules_check
* ini_rules_destroy
* ini_errobj_*
== Note for distribution packagers ==
* API and ABI is backward compatible with last release (0.5.0)
== Detailed Changelog ==
Dmitri Pal (1):
* ini: Add INI_PARSE_IGNORE_NON_KVP flag
Lukas Slebodnik (6):
* INI: Enable string format check for ini_errobj_add_msg
* INI: Extend validator unit test for corner cases
* INI: Reduce count of argumets for ini_rules_check
* INI: Prepare for schema validation
* Bump version-info
* Update versions before 0.6.0 release
Michal Židek (6):
* ini_parse: Add missing TRACE_FLOW_EXIT
* Add unit test for INI_PARSE_IGNORE_NON_KVP
* ini: Add infrastructure for validators
* ini: Add internal validator ini_allowed_options
* tests: Tests for rules/validators infrastructure
* ini: Add internal validator allowed_sections
Robbie Harwood (3):
* Document ini_config_augment alphabetical file processing
* Fix comment in ini_augment_ut.c
* Ensure ding-linbs metapackage depends on libbasicobjects
7 years, 5 months
Announcing SSSD 1.14 Alpha
by Jakub Hrozek
== SSSD 1.14 Alpha ===
The SSSD team is proud to announce the release of version 1.14 Alpha of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Several internal interfaces were refactored, providing cleaner
code and better memory hierarchy. This change will allow the code to
be easier to maintain and extend and get rid of sssd_be crashes on
service restarts while active requests are running.
* The IPA provider allows looking up users from trusted Active Directory
domains by certificates that are included in the IPA ID-views. Please
note that this functionality requires a recent IPA server.
* The AD provider is now able to look up users from Active Directory
domains by certificate. This change enables logins for Active Directory
users with the help of a smart card.
* The sss_override tool is now able to add certificates as local
overrides in the SSSD cache. Please note that the certificate overrides
are stored in the local cache, so removing the cache also removes all
the certificates!
* Invalid certificates are skipped instead of aborting the whole
operation when logging in with a smart card using SSH.
* A new option local_negative_timeout was added. This option allows
the admin to specify the time during which lookups for users that
are not handled by SSSD but are present on the system (typically in
/etc/passwd and /etc/group) and prevents repeated lookups of local
users on the remote server during initgroups operation.
* This version allows several OCSP-related options such as the OCSP
responder to be configured during smart card authentication
* SSSD is now able to determine the name of the user who logs in from
the inserted smart card without having to type in the username. Please
note that this functionality must be enabled with the allow_missing_name
pam_sss option.
* The sss_cache command line tool is now able to invalidate SUDO rules
with its new -r/-R switches. Please note that the sudo rules are not
refreshed with the sss_cache tool immediately. Refer to the sssd-sudo
man page for the existing refresh timeouts.
* The AD provider as well as the IPA provider part that handles AD
users is able to use the PAC blob attached to the Kerberos ticket to
resolve group memberships for a user if available. If the PAC blob is
not available, other methods such as tokenGroups are used instead.
* The libipa_hbac library was decorated with debug statements, allowing
the administrator to see individual parts of the HBAC rules as well
as the request passed to the evaluator
* Several systemtap probes were added across the SSSD codebase as well
as example systemtap scripts that use these probes. The scripts allow
the administrator to observe the performance of some operations such
as saving a group or the 'id' command with systemtap.
== Packaging Changes ==
* The libsss_sudo.so and libsss_autofs.so libraries were moved to
individual subpackage. This change allows the sudo and autofs libraries
to be installed in containers when the SSSD deamon is running on the
host or in another container.
* The PolicyKit rules used by the p11 child during smartcard
authentication were moved into their own subpackage to prevent conflict
in ownership with the polkit package
* The upstream RPMs no longer run as an unprivileged user, because
there are several known issues related to running SSSD completely
unprivileged. It it still possible to switch to a non-privileged user
in the sssd.conf file.
* If no configuration file exists on SSSD startup, the SSSD is now able
to read a default sssd.conf on first start. Downstreams are encouraged
to ship a default sssd.conf to allow SSSD to be enabled by default.
== Documentation Changes ==
* It is possible to configure SSSD debugging with the debug option
which is an alias to the existing debug_level option.
* A new local_negative_timeout option was added to configure the time
during which lookups for users that exist on the system but are not
handled by SSSD are negatively cached.
* The PAC responder allows the time during which data read from the
PAC bloc is considered valid with a new pac_lifetime option.
* Several PAM services were added to the default list of Group
Policy mappings. These include adding the unity login manager to
the ad_gpo_map_interactive list and the polkit-1 service to the
ad_gpo_map_allow list.
* The p11 responder allows configuring the default OCSP responder with
its new option ocsp_default_responder and the certificate expected to
sign the OCSP response with the new ocsp_default_responder_signing_cert
option.
* The pam_sss.so PAM module has a new option allow_missing_name that
allows looking up the user (typically with the help of a certificate
on a smartcard) during login.
* The sss_override tool gained a new option -x/--certificate that can
be used to specify a local (as in the local cache) certificate for a
particular user.
* The sss_cache tool gained new options -r/-R that allow the
administrator to invalidate the sudo rules in the cache.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1656
Name-space add_string and make it clear it can also remove string
https://fedorahosted.org/sssd/ticket/2081
[RFE] sss_cache: invalidate sudo rules
https://fedorahosted.org/sssd/ticket/2151
[RFE] Integrate SSSD with containers
https://fedorahosted.org/sssd/ticket/2158
PAC responder needs much time to process large group lists
https://fedorahosted.org/sssd/ticket/2317
make the negcache timeout part of nc_ctx
https://fedorahosted.org/sssd/ticket/2369
check correct usage of talloc_realloc
https://fedorahosted.org/sssd/ticket/2424
review the use of umask() in sssd code
https://fedorahosted.org/sssd/ticket/2683
man sssd.conf should clarify details about subdomain_inherit option.
https://fedorahosted.org/sssd/ticket/2703
Need better libhbac debuging added to sssd
https://fedorahosted.org/sssd/ticket/2715
Make it possible to lookup user via UPN / Kerberos principal
https://fedorahosted.org/sssd/ticket/2816
CI: whitespace_test FAILED without any output
https://fedorahosted.org/sssd/ticket/2848
cache_req: add SID lookups
https://fedorahosted.org/sssd/ticket/2855
Move libsss_sudo.so outside sssd-common
https://fedorahosted.org/sssd/ticket/2866
Cannot authenticate AD trust users after disconnecting network
https://fedorahosted.org/sssd/ticket/2869
cache_req tests don't use leak_check_push/leak_check_pop in fixtures
https://fedorahosted.org/sssd/ticket/2870
AD GPO fails if the machine account belongs to a domain controller
https://fedorahosted.org/sssd/ticket/2897
Smart Cards: Certificate in the ID View
https://fedorahosted.org/sssd/ticket/2903
Review and update wiki pages for 1.14 Alpha
https://fedorahosted.org/sssd/ticket/2924
Incorrect mapping for locked vs expired accounts with the krb provider
https://fedorahosted.org/sssd/ticket/2928
NSS responder should negatively cache local users for a longer time
https://fedorahosted.org/sssd/ticket/2941
Screen locks and smart card is removed - must show a message to insert the correct smartcard
https://fedorahosted.org/sssd/ticket/2968
Abstract async connect functions from sss_ldap
https://fedorahosted.org/sssd/ticket/2973
Common responder code closes socket to early on client shutdown
https://fedorahosted.org/sssd/ticket/2977
ssh with Smartcards - skip invalid certificates
https://fedorahosted.org/sssd/ticket/2999
RFE - alias log_level to debug_level
https://fedorahosted.org/sssd/ticket/3005
[Patch] Vague error message: [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: Connect error
https://fedorahosted.org/sssd/ticket/3010
SSSD doesn't fail over to next GC if authentication fails
== Detailed Changelog ==
Alexander Bokovoy (1):
* SPEC: Move polkit rules into sssd-polkit-rules subpackage
Dan Lavu (5):
* sss_override: Add restart requirements to man page
* MAN: Clarify that subdomain_inherit only works for IPA and AD
* URL in BUILD.txt is incorrect
* Clarify that subdomains always use service discovery
* PAM: Fix man for pam_account_{expired,locked}_message
David Disseldorp (1):
* build: detect endianness at configure time
Fabiano Fidêncio (4):
* sysdb: move add_string() convenience to sysdb.c
* sysdb: add sysdb_{add,replace,delete}_string()
* sysdb: move add_ulong() convenience to sysdb.c
* sysdb: add sysdb_{add,replace,delete}_ulong()
Graham Leggett (1):
* Add underlying diagnostic message for SSL errors.
Jakub Hrozek (72):
* Updating the version to track 1.14 development
* MAN: Clarify pam_trusted_users option description
* MAN: proxy and krb5 are valid access control modules
* contrib: Add a pre-push hook to warn about commits without Reviewed-By
* AD: Provide common connection list construction functions
* AD: Consolidate connection list construction on ad_common.c
* tests: Fix compilation warning
* FO: Don't free rc-allocated structure
* tests: Reduce failover code duplication
* FO: Use refcount to keep track of servers returned to callers
* tools: Don't shadow 'exit'
* IFP: Skip non-POSIX groups properly
* SSSD: Add a new option diag_cmd
* DP: Drop dp_pam_err_to_string
* DP: Check callback messages for valid UTF-8
* sbus: Check string arguments for valid UTF-8 strings
* DP: Do not confuse static analysers with dead code
* CONTRIB: Add a gdb pretty-printer for ldb and sysdb_attrs
* BUILD: Only install polkit rules if the directory is available
* AD: Add autofs provider
* KRB5: Handle preauth request timeout more gracefully
* KRB5: Handle KRB5_REALM_UNKNOWN as ERR_NETWORK_IO
* FO: Use tevent_req_defer_callback() when notifying callers
* IPA: Use search timeout, not enum timeout for searching overrides
* DP: Reduce code duplication in the callback handlers
* DP: Reduce code duplication in Data Provider handlers
* MAN: Clarify when should TGs be disabled for group nesting restriction
* DP: Print warning when the handler is not configured
* tests: use unittest.TestCase?.assertCountEqual if possible
* Fix pep8 warnings in pyhbac-test.py
* SDAP: Make it possible to silence errors from dereference
* Add a new option ldap_group_external_member
* IPA: Add interface to call into IPA provider from LDAP provider
* LDAP: Use the IPA provider interface to resolve external group members
* IPA: Use the common if-else coding style
* tests: Extend test_child_common.c to include tests for the only_extra_args functionality
* NSS: Move a DEBUG message so that it's less confusing
* MAN: Move subdomain_inherit to the correct man section
* MAN: Move proxy_fast_alias to the correct man section
* memberof: Don't allocate on a NULL context
* tests: Add a unit test for the external groups resolution
* libipa_hbac: Do not use C99
* libipa_hbac: Add more debug messages
* libipa_hbac: Fix typo in constant name
* libipa_hbac: Move the library to src/lib/ipa_hbac
* MAN: Remove duplicate description of the pam_account_locked_message option
* AD: Recognize Windows Server 2016
* memberof: Fix a memory leak when removing ghost users
* memberof: Don't allocate on NULL when deleting memberUids
* tests: Check NULL context in sysdb-tests when removing group members
* MAN: Drop the reference to IPAv2 in the man page
* Make sdap_process_group_send() static
* MAN: Remove references to the obsolete PubkeyAgent? ssh option
* UTIL: Add ERR_SBUS_REQUEST_HANDLED
* IFP: Do not crash on invalid arguments to GetUserAttr?
* UTIL: exit() the forked process if exec()-ing a child process fails
* AD: Do not schedule the machine renewal task if adcli is not executable
* AD: Do not leak file descriptors during machine password renewal
* Do not leak fds in case of failures setting up a child process
* LDAP: Try also the AD access control for IPA users
* RESPONDER: Fix error check in cache_req.c
* UTIL: Add a PROBE macro into probes.h
* BUILD: Add build infrastructure for systemtap scripts
* SYSDB: Track transaction nesting in sysdb_ctx
* SYSDB: Add systemtap probes to track sysdb transactions
* STAP: Add helper functions to for human-readable account request representation
* LDAP: Decorate the hot paths in the LDAP provider with systemtap probes
* CONTRIB: Add a systemtap script to analyze the performance of the 'id' command
* CONTRIB: Add a systemstap script to measure nested group code performance
* BUILD: Enable systemtap during RPM build and CI
* Updating the translations for the 1.14 alpha release
* Updating the version for the 1.14 beta release
Lukas Slebodnik (107):
* CONTRIB: pre-push hook could work with python3
* BUILD: Link just libsss_crypto with crypto libraries
* BUILD: Link crypto_tests with existing library
* BUILD: Remove unused variable TEST_MOCK_OBJ
* BUILD: Avoid symlinks with python modules
* SSSDConfigTest: Try load saved config
* SSSDConfigTest: Test real config without config_file_version
* intg_tests: Fix PEP8 warnings
* responder_common_tests: Removed unused libraries
* BUILD: Remove unused variables
* BUILD: Remove SSS_CRYPTO_LIBS from common libraries
* BUILD: Accept krb5 1.14 for building the PAC plugin
* BUILD: Fix detection of pthread with strict CFLAGS
* sbus_codegen_tests: Suppress warning Wmaybe-uninitialized
* BUILD: Fix cleanup without NLS
* SDAP: Remove unused sdap_id_ctx from sdap_id_conn_cache_create
* BUILD: Fix doc directory for sss_simpleifp
* LDAP: Fix leak of file descriptors
* BUILD: Remove sudo doxygen file
* CI: Workaroung for code coverage with old gcc
* FAIL_OVER: Fix warning value computed is not used
* cache_req: Fix warning -Wshadow
* SBUS: Fix warnings -Wshadow
* TESTS: Fix warnings -Wshadow
* INIT: Drop syslog.target from service file
* AD: Remove unused memory context from ad_user_conn_list
* DP_PTASK: Fix warning may be used uninitialized
* UTIL: Fix memory leak in switch_creds
* TESTS: Initialize leak check
* TESTS: Check return value of check_leaks_pop
* TESTS: Make check_leaks static function
* TESTS: Add warning for unused result of leak check functions
* sss_client: Fix underflow of active_threads
* sssd_client: Do not use removed memory cache
* test_memory_cache: Test removing mc without invalidation
* Revert "intg: Invalidate memory cache before removing files"
* CONFIGURE: Bump AM_GNU_GETTEXT_VERSION
* test_sysdb_subdomains: Do not use assignment in assertions
* ldap_local_override_test: Fix failure with python2.6
* sbus_codegen_tests: Use portable definition of large constants
* CI: Update suppression file for 32bit el6
* DEBUG: Add missing new lines
* AD: Log SID in debug message
* SPEC: Change package ownership of %{pubconfpath}/krb5.include.d
* SPEC: Move libsss_sudo.so outside sssd-common
* SPEC: Fix unowned directories
* SPEC: Use systemd macros
* pam-srv-tests: Reuse test directory for IO tests
* FAILOVER: Improve reporting of errors
* TOOLS: Fix warning Wsign-compare
* pysss_murmur: Fix warning Wsign-compare
* pyhbac: Fix warning Wsign-compare
* SPEC: Remove unnecessary clean-up of buildroot
* SPEC: Fix packaging of libsss_simpleifp
* CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL
* TESTS: Fix race condition in python test
* server-tests: Fix clean-up after successful test
* PYTHON: sss_obfuscate should work with python3
* PYTHON: Fix pep8 errors in sss_obfuscate
* intg: Change preference of openldap module path
* SPEC: Move libsss_autofs.so outside sssd-common
* SPEC: Remove unnecessary requirements
* sss_idmap-tests: Fix segmentation fault
* krb5_child: Warn if user cannot read krb5.conf
* Fix typos reported by lintian
* UTIL: Use prefix for debug function
* UTIL: Provide varargs version of debug_fn
* IPA: Use sss_vdebug_fn in hbac_debug_messages
* IPA: log real hbac function
* HBAC: Check format string in hbac log function
* UTIL: Use sss_vdebug_fn for callbacks
* Revert "DEBUG: Preventing chown_debug_file if journald on"
* DEBUG: Ignore ENOENT for change owner of log files
* TOOLS: Fix minor memory leak in sss_colondb_writeline
* CI: Use yum-deprecated instead of dnf
* BUILD: Remove unused include directories
* BUILD: Simplify build of cwrap tests
* UTIL: Fix indentation in dlinklist.h
* UTIL: Fix warning misleading-indentation
* CLIENT: Reduce code duplication
* CLIENT: Retry request after EPIPE
* libipa_hbac: Ensure we always build with C90
* UTIL: Do not call stderr with negative number
* UTIL: Move debug part from util.h -> new debug.h
* UTIL: Allow to append new line in sss_vdebug_fn
* AUTOMAKE: Force usage of parallel test harness
* CI: Use make check instead of make-check-wrap
* IPA: Remove unused parameter from ipa_ext_group_member_check
* SDAP: Remove unused parameter talloc context
* test_ipa_subdom_server: Workaround for slow krb5 + SELinux
* SPEC: Run extra unit tests with epel
* GPO: Soften umask in gpo_child
* GPO_CHILD: Create directories in gpo_cache with right permissions
* GPO: Process GPOS in offline mode if ldap search failed
* IPA: Check RDN in ipa_add_ad_memberships_get_next
* dp_ptask: Fix memory leak in synchronous ptask
* test_be_ptask: Check leaks in tests
* test_ad_common: Include missing header if building with NSS
* SYSDB_SUDO: Remove useless test
* IPA_SUDO: Prevent dereference of NULL pointer
* intg: Use different uid range for add_remove tests
* LDAP: Print port in sdap_print_server
* TOOLS: Fix warning maybe-uninitialized
* pam-srv-tests: Increase cached_auth_timeout
* CI: Exclude files in /tmp during coverage runs
* pam-srv-tests: Fix warning unused-function
* SPEC: Run sssd as privileged user
Mathieu Deaudelin-Lemay (1):
* Changes to allow SSSD to be used for access control with a machine
account belonging to a domain controller.
Michal Židek (15):
* SSSDConfig: Do not raise exception if config_file_version is missing
* spec: Missing initgroups mmap file
* util: Update get_next_domain's interface
* tests: Add get_next_domain_flags test
* sysdb: Include disabled domains in link_forest_roots
* sysdb: Use get_next_domain instead of dom->next
* Refactor some conditions
* util: Continue if setlocale fails
* server_setup: Log failed attempt to set locale
* tests: Run intgcheck without libsemanage
* tests: Regression test with wrong LC_ALL
* ldap_local_override_test: Remove sss_cache from teardown
* MAN: sssd.conf should mention SSS_NSS_USE_MEMCACHE
* NSS: do not skip cache check for netgoups
* GPO: log specific ini parse error messages
Nikolai Kondrashov (15):
* CI: Exclude whitespace_test from Valgrind checks
* TESTS: Make whitespace_test pass without whitespace
* man: Mention groups in filter_groups description
* man: Note filter_groups are not affecting nesting
* intg: Get base DN from LDAP connection object
* intg: Add support for specifying all user attrs
* intg: Split LDAP test fixtures for flexibility
* intg: Reduce sssd.conf duplication in test_ldap.py
* intg: Fix RFC2307bis group member creation
* intg: Do not use non-existent pre-increment
* CI: Do not skip tests not checked with Valgrind
* CI: Handle dashes in valgrind-condense
* intg: Fix all PEP8 issues
* CI: Enforce coverage make check failures
* intg: Add more LDAP tests
Pavel Březina (131):
* sbus codegen tests: free ctx
* sss tools: improve option handling
* cache_req: provide extra flag for oob request
* cache_req: add support for UPN
* cache_req tests: reduce code duplication
* cache_req: remove raw_name and do not touch orig_name
* intg: fix typos
* sss_override: fix comment describing format
* sss_override: explicitly set ret = EOK
* sss_override: steal msgs string to objs
* nss: send original name and id with local views if possible
* sudo: search with view even if user is found
* sudo: send original name and id with local views if possible
* sss_tools: always show common and help options
* sss_override: fix exporting multiple domains
* sss_override: add user-find
* sss_override: add group-find
* sss_override: add user-show
* sss_override: add group-show
* sss_override: do not free ldb_dn in get_object_dn()
* sss_override: use more generic help text
* sss_tools: do not allow unexpected free argument
* BE: Add IFP to known clients
* AD: remove annoying debug message
* man sssd-ad: fix typo
* SYSDB: Add missing include to sysdb_services.h
* LDAP: Mark globals in ldap_opts.h as extern
* AD: Mark globals in ad_opts.h as extern
* IPA: Mark globals in ipa_opts.h as extern
* KRB5: Mark globals in krb5_opts.h as extern
* SUDO: convert periodical refreshes to be_ptask
* SUDO: move refreshes from sdap_sudo.c to sdap_sudo_refresh.c
* SUDO: move offline check to handler
* SUDO: simplify error handling
* SUDO: fix sdap_id_op logic
* SUDO: fix tevent style
* SUDO: fix sdap_sudo_smart_refresh_recv()
* SUDO: sdap_sudo_load_sudoers improve iterator
* SUDO: set USN inside sdap_sudo_refresh request
* SUDO: built host filter inside sdap_sudo_refresh request
* SUDO: do not imitate full refresh if usn is unknown in smart refresh
* SUDO: fix potential memory leak in sdap_sudo_init
* SUDO: obtain host information when going online
* SUDO: remove finalizer
* SUDO: make sdap_sudo_handler static
* SUDO: use size_t instead of int in for cycles
* SUDO: get srv_opts after we are connected
* AD SRV: prefer site-local DCs in LDAP ping
* SDAP: handle ret properly in ldap_get_options()
* SDAP: do not fail if refs are found but not processed
* SDAP: Add request that iterates over all search bases
* SDAP: rename sdap_get_id_specific_filter
* SDAP: support empty filters in sdap_combine_filters()
* SUDO: use sdap_search_bases instead custom sb iterator
* SUDO: make sudo sysdb interface more reusable
* SUDO: move code shared between ldap and ipa to separate module
* SUDO: allow to disable ptask
* SUDO: fail on failed request that cannot be retry
* IPA: add ipa_get_rdn and ipa_check_rdn
* SDAP: use ipa_get_rdn() in nested groups
* IPA SUDO: choose between IPA and LDAP schema
* IPA SUDO: Add ipasudorule mapping
* IPA SUDO: Add ipasudocmdgrp mapping
* IPA SUDO: Add ipasudocmd mapping
* IPA SUDO: Implement sudo handler
* IPA SUDO: Implement full refresh
* IPA SUDO: Implement rules refresh
* IPA SUDO: Remember USN
* SDAP: Add sdap_or_filters
* IPA SUDO: Implement smart refresh
* SUDO: sdap_sudo_set_usn() do not steal usn
* SUDO: remove full_refresh_in_progress
* SUDO: assume zero if usn is unknown
* SUDO: allow disabling full refresh
* SUDO: remember usn as number instead of string
* SUDO: simplify usn filter
* IPA SUDO: Add support for ipaSudoRunAsExt* attributes
* sdap_connect_send: fail if uri or sockaddr is NULL
* MAKE: Do not compile generated header files
* cache_req: simplify cache_req_cache_check()
* cache_req: do not lookup views if possible
* remove user certificate if not found on the server
* IPA SUDO: download externalUser attribute
* cache_req: bring together search parameters
* cache_req: fix typo in debug message
* cache_req: break cache_req_input_create into more functions
* cache_req: rename debug_fqn to debugobj
* cache_req: improve debugging
* cache_req tests: remove unused users and groups
* mock domain: reset ldb errors
* cache_req tests: use leak check in test fixtures
* cache_req tests: improve user and group creation
* utils: return const char from dup_string_list
* cache_req: add SID lookups
* cache_req test: add lookup by sid
* cache_req: hide input and pass parameters in struct
* cache_req: rename cache_req_input to cache_req
* cache_req: remove old comment
* IPA SUDO: fix typo
* IPA SUDO: support old ipasudocmd rdn
* SUDO: be able to parse modifyTimestamp correctly
* sudo: remove unused structure sudo_dp_request
* sudo: use cache_req for initgroups
* sudo: do not use tevent when parsing query
* sudo: convert get_sudorules to tevent
* Inform about (un)successful connection
* Failover to next server if authentication fails
* Remove braces from DEBUG statements
* Rename dp_ptask to be_ptask
* Rename dp_refresh.h to be_refresh.h
* Rename dp_refresh.c to be_refresh.c
* Rename dp_dyndns.h to be_dyndns.h
* Rename dp_dyndns.c to be_dyndns.c
* Rename dp_backend.h to backend.h
* SBUS: Add sbus_conn_register_iface_map
* SBUS: Add data provider errors
* SBUS: Print debug message when handler fails
* ERRORS: Add ERR_OFFLINE
* ERRORS: Add ERR_TERMINATED
* ERRORS: Add ERR_INVALID_DATA_TYPE
* ERRORS: Add ERR_MISSING_DP_TARGET
* sdap_search_bases: allow map to be NULL
* sdap_search_bases: allow returning only the first reply
* sdap ops: add support for deref
* DP: Introduce new interface for backend
* DP: Add callback for backward compatibility
* DP TESTS: Mock data_provider
* DP TESTS: Add unit tests for dp_request_table.c
* DP: Switch to new interface
* RESPONDER: New interface for client registration
* DP: Move be_req_acct and remove discard_const
Pavel Reichl (39):
* SDAP: Relax POSIX check
* AD: fix minor memory leak
* IPA: fix minor memory leak
* SDAP: fix minor memory leak
* PROXY: fix minor memory leak
* sss_override: amend man page - overrides do not stack
* DYNDNS: use realm and server commands only as fallback
* DYNDNS: improve nsupdate_msg_add_fwd()
* intg: fix assert messages in test_memory_cache
* HBAC: remove misleading comment about deny rules
* sudo: remove unused param. in ldap_get_sudo_options
* autofs: remove unused params in del_autofs_entries
* LDAP: remove unused param. in sdap_fallback_local_user
* PAM: remove unused parameter cdb
* sss_override: Remove unused parameter tool_ctx
* SDAP: optional warning - sizelimit exceeded in POSIX check
* SDAP: allow_paging in sdap_get_generic_ext_send()
* SDAP: change type of attrsonly in sdap_get_generic_ext_state
* SDAP: pass params in sdap_get_and_parse_generic_send
* sss_override: Removed overrides might be in memcache
* sudo: remove unused param name in sdap_sudo_get_usn()
* pam-srv-tests: split pam_test_setup() so it can be reused
* pam-srv-tests: Add UT for cached 'online' auth.
* intg: Add test for user and group local overrides
* sysdb-tests: Fix warning - incompatible pointer type
* IDMAP: Fix computing max id for slice range
* IDMAP: New structure for domain range params
* IDMAP: Add support for automatic adding of ranges
* IDMAP: Fix minor memory leak
* IDMAP: Man change for ldap_idmap_range_size option
* NSS: Fix memory leak netgroup
* SDAP: Add error code to debug message
* IDMAP: Add test to validate off by one bug
* SDAP: Add return code ERR_ACCOUNT_LOCKED
* PAM: Pass account lockout status and display message
* IDMAP: Add minor performance improvements
* IDMAP: Make parameter names more descriptive
* DP TESTS: Add unit tests for dp_request.c
* DP TESTS: Add unit tests for dp_builtin.c
Petr Cech (56):
* TESTS: Fixing of uninitialized pointer.
* HBAC: Better libhbac debugging
* REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK)
* REFACTOR: DFL_RSP_UMASK constant in responder code
* REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)
* REFACTOR: SCKT_RSP_UMASK constant in responder code
* P11_CHILD_NSS: More restrictive permissions
* UTILS: More restrictive permissions in domain_info
* UTIL-TESTS: More restrictive permissions
* TESTS: More restrictive permissions in debug_tests
* TESTS: Restrictive permissions in check_and_open
* DEBUG: Preventing chown_debug_file if journald on
* KRB5_CHILD: More restrictive umask
* UTIL: More restrictive umask on sss_unique_file()
* TOOLS: DFL_UMASK --> SSS_DFL_UMASK
* TEST: Add test_user_by_recent_filter_valid
* TEST: Refactor of test_responder_cache_req.c
* TEST: Refactor of test_responder_cache_req.c
* TEST: Add common function are_values_in_array()
* TEST: Add test_users_by_recent_filter_valid
* TEST: Add test_group_by_recent_filter_valid
* TEST: Refactor of test_responder_cache_req.c
* TEST: Add test_groups_by_recent_filter_valid
* IPA_PROVIDER: Explicit no handle of services
* KRB5_CHILD: Debug logs for PAC timeout
* KRB5: Adding DNS SRV lookup for krb5 provider
* TOOLS: Fix memory leak after getline() failed
* TOOLS: Add comments on functions in colondb
* TEST_TOOLS_COLONDB: Add tests for sss_colondb_*
* TESTS: global_talloc_context push/pop remove
* NEGCACHE: Fixing typo in test_sss_ncache_gid()
* NEGCACHE: Removing of condition for ttl = -1
* SYSDB: Add new funtions into sysdb_sudo
* TESTS: Test of sysdb_search_sudo_rules
* SSS_CACHE: Refactor
* TOOL: Invalidation of sudo rules at sss_cache
* AUTOFS: Removing of redudant debug message
* TEST: Removing duplication of mock_rctx
* NEGCACHE: Adding timeout to struct sss_nc_ctx
* NEGCACHE: Removing timeout from sss_ncache_check_*
* NEGCACHE: Adding getter for timeout
* RESPONDER: Removing neg_timeout from pam responder
* RESPONDER: Removing neg_timeout from pac_ctx
* RESPONDER: Removing neg_timeout from sudo resp.
* RESPONDER: Removing neg_timeout from ifp repsonder
* RESPONDER: Removing neg_timeout from nss responder
* RESPONDERS: Negcache in resp_ctx preparing
* RESPONDER: Removing ncache from nss_ctx
* RESPONDER: Removing ncache from ifp_ctx
* RESPONDER: Removing ncache from pac_ctx
* RESPONDER: Removing ncache from pam_ctx
* RESPONDER: Removing ncache from sudo_ctx
* RESPONDER: Removing of redudant function
* AD_PROVIDER: Fix constant char *
* RESPONDERS: Negative caching of local users
* TEST: New tests for negative caching of locals
Robert Antoni Buj Gelonch (1):
* Add Catalan translation to LINGUAS
Simo Sorce (6):
* Krb5/PAM: Fix account lockout error handling
* Util: Improve code to get connection credentials
* Util: Move socket setup in a common utility file
* Util: Set socket options and flags separately
* Util Sockets: Tidy up connect() handling
* Responders: Fix client destructor
Stephen Gallagher (11):
* LDAP: Inform about small range size
* Monitor: Show service pings at debug level 8
* GPO: Add Cockpit to the Remote Interactive defaults
* GPO: Add other display managers to interactive logon
* Netlink: Ignore RTM_NEWADDR signals from link-local
* GPO: Add "unity" to ad_gpo_map_interactive
* UTIL: Add secure copy function
* Internal: Rename CONFDB_DEFAULT_CONFIG_FILE
* CONFIG: Use default config when none provided
* GPO: Add "polkit-1" to ad_gpo_map_allow
* DEBUG: Add debug alias for debug_level
Sumit Bose (69):
* PAM: only allow missing user name for certificate authentication
* fix ldb_search usage
* fix upn cache_req for sub-domain users
* nss: fix UPN lookups for sub-domain users
* DP: successful authentication sets explicitly PAM_SUCCESSS
* NSS: fix a use-after-free issue
* pam-srv-tests: Change service name
* cache_req: check all domains for lookups by certificate
* IPA: fix override with the same name
* p11: allow p11_child to run completely unprivileged
* p11: check if cert is valid before selecting it
* p11: enable ocsp checks
* ldap: skip sdap_save_grpmem() if ignore_group_members is set
* initgr: only search for primary group if it is not already cached
* LDAP: check early for missing SID in mapping check
* nfs idmap: fix infinite loop
* ipa_s2n_save_objects(): use configured user and group timeout
* Use right domain for user lookups
* sdap_save_grpmem: determine domain by SID if possible
* ldap: remove originalMeberOf if there is no memberOf
* UTIL: allow to skip default options for child processes
* DP_TASK: add be_ptask_get_timeout()
* AD: add task to renew the machine account password if needed
* FO: add fo_get_active_server()
* FO: add be_fo_get_active_server_name()
* AD: try to use current server in the renewal task
* p11: add gnome-screensaver to list of allowed services
* Just return NULL if tevent_req_create() fails
* subdomains: inherit ldap_krb5_keytab
* IPA: lookup idview name even if there is no master domain record
* IPA: invalidate override data if original view is missing
* sdap: improve filtering of multiple results in GC lookups
* pam_sss: reorder pam_message array
* SDAP: make some AD specific calls public
* LDAP: refactor sdap_ad_tokengroups_initgr_mapping_done()
* util: make concatenate_string_array() reusable
* AD: process PAC during initgroups request
* IPA: rename ipa_s2n_get_fqlist* to ipa_s2n_get_list*
* IPA: ipa_s2n_get_list_send() allow other list types
* IPA: resolve PAC for trusted users on IPA clients
* PAC: only save PAC blob into the cache
* sss_override: do not generate DN, search object
* tools: read additional data of the master domain
* sss_override: only add domain if name is not fully qualified
* intg: local override for user with mixed case name
* krb5_auth_store_creds: silence spurious debug message
* build: move ndr_krb5pac check to the other Samba checks
* IPA: terminate properly if view name lookup fails
* IPA: use forest name when looking up the Global Catalog
* libwbclient: wbcSidsToUnixIds() don't fail on errors
* AD: use krb5_keytab for subdomain initialization
* p11: add missing man page entry and config API
* p11: add no_verification option
* p11: add OCSP default responder options
* PAM: add pam_sss option allow_missing_name
* p11: add PKCS11_LOGIN_TOKEN_NAME environment variable
* sysdb: add sysdb_attrs_add_base64_blob()
* sysdb: add searches by certificate with overrides
* cache_req: use overide aware call for lookup by certificate
* ipa: add support for certificate overrides
* nss: include certificates in full result list
* ipa: save cert as blob in the cache
* AD: read user certificate if available
* nss: return user certificate base64 encoded
* sss_override: add certificate support
* IPA: allow lookups by cert in sub-domains on the client
* NSS: add SSS_NSS_GETNAMEBYCERT request
* nss-idmap: add sss_nss_getnamebycert()
* ssh: skip invalid certificates
7 years, 5 months
AD authentication on samba server using sssd
by shridhar shetty
I am trying to run samba with sssd service and AD authentication.
I have joined the linux server to the AD domain using realmd and using sssd
to authenticate to the AD. I am able to get user list from AD using "getent
passwd <username>".
The samba servers starts but i am unable to get the authentication working.
I referred the samba dos for centos7 and also installed sssd-libwbclient.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
Any pointers would be appreciated. thanks :)
OS: Centos: 7.2.1511 (Core)
Samba version: 4.2.10
sssd version: 1.13.0
Below are the files
sssd.conf
------------------
[sssd]
services = nss, pam, pac
config_file_version = 2
domains = xx.xxx.com
[nss]
allowed_shells = /bin/bash, /bin/hgcsh
shell_fallback = /bin/bash
default_shell = /bin/bash
[domain/corp.endurance.com]
ad_domain = xx.xxx.com
krb5_realm = XX.XXX.COM
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
krb5_store_password_if_offline = True
override_homedir = /home/%u
smb.conf
------------------
[global]
security = ads
workgroup = XXX
realm = XXX.XXX.COM
kerberos method = system keytab
log file = /var/log/samba/log.%m
log level = 10
max log size = 50
load printers = no
cups options = raw
printcap name = /dev/null
[myshare]
comment = My shared folder
path = /var/myshare
public = no
writable = yes
guest ok = no
valid users = @"tt at xx.xx.com"
"realmd list" output
--------------------
xx.xxx.com
type: kerberos
realm-name: XXX.XXX.COM
domain-name: xx.xx.com
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common
login-formats: XXX\%U
login-policy: allow-any-login
xx.xxx.com
type: kerberos
realm-name: XXX.XXX.COM
domain-name: xx.xx.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy: allow-realm-logins
7 years, 5 months
Problem with Active Directory authentication
by ahkaplan@partners.org
Hello --
We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure:
http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-a...>
Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries:
https://help.ubuntu.com/lts/serverguide/sssd-ad.html
The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following:
ssh -v -l <username>@<domainname> <fully qualified domain name>
The output that was generated is the following:
OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <fully qualified domain name> [<ip address>] port 22.
debug1: Connection established.
debug1: identity file /home/knoppix/.ssh/id_rsa type -1
debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_dsa type -1
debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key.
debug1: Found key in /home/knoppix/.ssh/known_hosts:29
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/knoppix/.ssh/id_rsa
debug1: Trying private key: /home/knoppix/.ssh/id_dsa
debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
debug1: Next authentication method: password
<username>@<domainname>@<fully qualified domain name>'s password:
Connection closed by <ip address>
I checked the auth.log file, and the following entries were present:
Jun 10 07:10:50 rorecovery1 sshd[7419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=<username>@<domainname>
Jun 10 07:10:51 rorecovery1 sshd[7419]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 10 07:10:51 rorecovery1 sshd[7419]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 10 07:10:51 rorecovery1 sshd[7419]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=username>@<domainname>
Jun 10 07:10:51 rorecovery1 sshd[7419]: pam_sss(sshd:auth): received for user username>@<domainname> 17 (Failure setting user credentials)
Jun 10 07:10:51 rorecovery1 sshd[7419]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
Jun 10 07:10:51 rorecovery1 sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jun 10 07:10:51 rorecovery1 sshd[7419]: pam_ldap: reconnecting to LDAP server...
Jun 10 07:10:51 rorecovery1 sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jun 10 07:10:53 rorecovery1 sshd[7419]: Failed password for invalid user username>@<domainname>from <ip address> port 49847 ssh2
Jun 10 07:10:55 r
Does anyone have thoughts on this?
Thanks.
7 years, 6 months
id user@domain always show the same group list
by Joakim Tjernlund
I got 2 domains configured in sssd and the id cmd behaves odd:
gentoo-LABBBB sssd # id jocke(a)transmode.se
uid=1001(jocke) gid=100(users) groups=100(users),10(wheel),14(uucp),18(audio),27(video),250(portage),101(vboxusers),998(plugdev),78(kvm),900(libvirt),977(docker),1172001133(s all employees),1172056192(se-rnd-ts-1100),1172001161(all employees),1172000513(domain users),1172056141(se-it-group),1172056172(se-rnd-hw),1172056180(se-rnd-sw),1172056169(se-rnd)
gentoo-LABBBB sssd # id jocke(a)infinera.com
uid=1172051010(jocke) gid=1172056169(se-rnd) groups=1172056169(se-rnd),10(wheel),14(uucp),18(audio),27(video),250(portage),101(vboxusers),998(plugdev),78(kvm),900(libvirt),977(docker),1172001133(s all employees),1172056192(se-rnd-ts-1100),1172001161(all employees),1172000513(domain users),1172056141(se-it-group),1172056172(se-rnd-hw),1172056180(se-rnd-sw)
Notice how uid/gid differs but the group names are the same(they should not be)
It turns out that the "groups" list depends on the
domains = infinera.com,transmode.se
setting. Whichever is first wins.
Thoughts? Using sssd-1.13.4
Jocke
7 years, 6 months
