Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
4 years
full_name_format and supplemental groups
by Orion Poplawski
Running IPA with an AD trust. Users are in AD. Trying to use
full_name_format = %1$s to strip the domain from user names. This appears to
break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion(a)ad.nwra.com
uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com)
groups=470202603(orion(a)ad.nwra.com),470200513(domain
users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless
access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder(a)ad.nwra.com),470207608(heimdall
users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas
admins(a)ad.nwra.com)
With:
# id orion(a)ad.nwra.com
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion
uid=470202603(orion) gid=470202603(orion)
groups=470202603(orion),470200512(domain admins),470207608(heimdall
users),470204714(wireless
access),470204715(nwra-users),470204701(boulder),470204703(pirep rd
users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on
to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s
and default_domain_suffix = ad.nwra.com):
# id orion(a)ad.nwra.com
id: orion(a)ad.nwra.com: no such user
# id orion
id: orion: no such user
>From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and
default_domain_suffix):
# id orion
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member]
(0x0400): Error: 2 (No such file or directory)
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex]
(0x0020): Could not add member [orion] to group [name=domain
admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of
"cn=groups,cn=ad.nwra.com,cn=sysdb"
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
7 years, 1 month
sssd_be[30807]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied after upgrading packages
by Steffen Knauf
Hello,
after upgrading sssd package from 1.13.0-40.el7_2.1 to 1.13.0-40.el7_2.9 and upgrading the cyrus-sasl Packages from 2.1.26-19.2.el7 to 2.1.26-20.el7_2
i got the following Message after restarting sssd:
sssd_be[30849]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
sssd_be[30849]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
I don't change any configuration in sssd.conf or saslauthd.conf.
Setting the relevant debug_level = 9 in sssd.conf don't help, so perhaps can give me a hint?
greets
Steffen
7 years, 2 months
SID->UID/GID mapping issues
by John Hodrien
CentOS 7 install fully updated (sssd-1.13.0-40.el7_2.9.x86_64).
Samba setup, SSSD setup, using AD with SFU attributes.
wbinfo isn't doing SID -> UID/GID mappings properly.
# wbinfo -n correctuser
failed to call wbcLookupName: WBC_ERR_UNKNOWN_FAILURE
Could not lookup name correctuser
# wbinfo -n MYDOMAIN\\correctuser
S-1-5-21-XXXXX SID_USER (1) # Correct
# wbinfo -s S-1-5-21-XXXXX
failed to call wbcLookupSid: WBC_ERR_UNKNOWN_FAILURE
Could not lookup sid S-1-5-21-XXXXX
# wbinfo --user-sidinfo=S-1-5-21-XXXXX
correctuser:*:12345:678:Correct User:/correct/home:/bin/bash
I get basically the same behaviour with groups.
Results in the display of SIDs in Windows rather than resolved names.
Swap out to use winbind instead:
alternatives --set libwbclient.so.0.12-64 /usr/lib64/samba/wbclient/libwbclient.so.0.12
All works perfectly well, with all of those cases working fine, and Windows
clients happy as Larry.
If I restart SSSD and run wbinfo -s, I see in the logs that it find the right
record, in as much as it does a sane query, finds a the correctuser record,
and stores the user, and it declares that it found the SID later:
[sdap_search_user_process] (0x0400): Search for users, returned 1 results.
...
[sdap_save_user] (0x0400): Storing info for user correctuser
...
[ad_master_domain_next_done] (0x0400): Found SID [S-1-5-21-XXXXX]
Nothing looks pained, but it doesn't work.
Any clues how to debug this?
jh
7 years, 3 months
netlink messages on Infiniband causing sssd to exit
by Ryan Novosielski
Over time, I’ve been having seemingly random sssd quits that I’ve not been able to figure out. Today, I finally traced it to fluctuations on my Infiniband fabric:
sssd.log
(Tue Nov 3 13:17:59 2015) [sssd] [message_type] (0x0200): netlink Message type: 16
(Tue Nov 3 13:17:59 2015) [sssd] [link_msg_handler] (0x1000): netlink link message: iface idx 4 (ib0) flags 0x1003 (broadcast,multicast,up)
(Tue Nov 3 13:17:59 2015) [sssd] [message_type] (0x0200): netlink Message type: 16
(Tue Nov 3 13:17:59 2015) [sssd] [link_msg_handler] (0x1000): netlink link message: iface idx 4 (ib0) flags 0x11043 (broadcast,multicast,up,running,lower)
This exactly corresponds to the time in /var/log/messages for the unexplained shutdown:
2015-11-03T13:17:59-05:00 node75 sssd[pam]: Shutting down
2015-11-03T13:17:59-05:00 node75 sssd[be[default]]: Shutting down
2015-11-03T13:17:59-05:00 node75 sssd[nss]: Shutting down
Here is sssd_default.log for good measure:
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1414770/0x14133d0
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1414770/0x13fef90
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of default]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sdap_handle_release] (0x2000): Trace: sh[0x14bd850], connected[1], ops[(nil)], ldap[0x1424260], destructor_lock[0], release_memory[0]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1415970/0x1416430
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): The symlink points to [/var/lib/sss/pipes/private/sbus-dp_default.18702]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): The path including our pid is [/var/lib/sss/pipes/private/sbus-dp_default.18702]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): Removed the symlink
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_client_destructor] (0x0400): Removed PAM client
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_client_destructor] (0x0400): Removed NSS client
I can duplicate this by manually taking down the Infiniband link:
[root@node24 ~]# service sssd status
sssd (pid 9132) is running...
[root@node24 ~]# ifdown ib0
[root@node24 ~]# service sssd status
sssd dead but pid file exists
I have also noticed that sssd will not start on boot. As I know that Infiniband tends to flutter a little bit before the link comes up, I’m thinking this is probably the same cause.
Can anyone explain this behavior and tell me what I might do to prevent it?
--
____ *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences*
|| \\UTGERS |---------------------*O*---------------------
||_// Biomedical | Ryan Novosielski - Senior Technologist
|| \\ and Health | novosirj(a)rutgers.edu - 973/972.0922 (2x0922)
|| \\ Sciences | OIRT/High Perf & Res Comp - MSB C630, Newark
`'
7 years, 3 months
Cross domain trust and SSO/NFS ?
by Joakim Tjernlund
We are migrating to a new domain AD domain and I got cross domain trust problems(there is a bidirectional
cross trust between the two ADs, how can I test this works from Linux?). All users in domain A
has been copied to domain B(using the same UID/GID as in domain A).
I have managed to configure sssd for both domains(lets call the old domain A and the new B),
joined to both domains and I can login using any of the 2 domains.
But here is the problem:
If I use the new domain(B) as default login domain, I cannot ssh to another system still in domain A
password less(without entering my password again) or access files on NFS mounted files exported from domain A.
I know very little about cross trust etc. so I want to ask:
1) Is this even possible?
2) I have no idea where to start looking for what went wrong, need som pointers.
We are using sssd 1.13.4 on the new domain B machines while servers
in domain A uses an older sssd(1.12.5)
Jocke
7 years, 4 months
dyndns updates in sssd-13.4
by Longina Przybyszewska
Hi ,
After upgrade to sssd-13.4, dyndns updates don't work in AD cross realm environment
Our DNS server is :
-not on the identity server (exactly, not on the default DC for the domain)
-DNS server and reverse DNS server are different machines
It worked in previous release (also, DNS updates only)
Now, for fixing this I need to use the option 'dyndns_server' for explicitly point to the server.
It is not possible for dyndns_ptr updates, since sssd obviously assumes that there is one DNS for both A and PTR records.
Do you plan 'dyndns_ptr_server' option as well in future realeseS?
Best,
Longina
7 years, 4 months
sssd System error
by Schiller Frank
Hi,
I'm trying to authenticate with active-directory users (Windows Server 2008 R2) on my Ubuntu 16.04 workstation.
I used the steps in "SSSD and Active Directory" from the Ubuntu documentation.
Adding the computer-account to active-directory worked.
Running id <active-directory-user> also returns the correct active-directory-groups the user is in.
But I can't login with active-directory-user.
content of /var/log/auth.log:
pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=<active-directory-user>
pam_sss(login:account): Access denied for user<active-directory-user>: 4 (System error)
output of "service sssd status":
sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Mo 2016-07-25 12:47:37 CEST; 35min ago
Process: 1913 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS) Main PID: 2088 (sssd)
CGroup: /system.slice/sssd.service
├─2088 /usr/sbin/sssd -D -f
├─2092 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain DOMAIN.LOCAL --uid 0 --gid 0 --debug-to-files
├─2131 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
└─2132 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
Jul 25 12:49:21 ubuntu16 sssd_be[2092]: GSSAPI client step 1
Thank you very much for any help.
Best Regards
Frank
7 years, 4 months
nfsidmap with 'sss'method
by Longina Przybyszewska
Hi,
I upgraded to sssd-13.4 (kernel 4.4.0-31-generic #50-Ubuntu) -.
After upgrade I have problems with nfs4+Kerberos idmaping, using krb localauth snippet and choosing 'sss' method in /etc/idmap.conf;
I get (igen!) famous nobody mapping for cross realm users;
Mapping of groups is correct, as groups are in the same domain as computers.
I can mount with sec=krb5, get access to my nfs-mounted home directory, get r/w permissions, but listing a file shows wrong owner:
ausr@nat.domain@adm-lnx438:~$ ls -ld .
drwxr-xr-x 3 4294967294 lnx-primary(a)adm.domain 28 Aug 18 2015 SSSD-GIT
ausr(a)nat.domain --> 4294967294
group(a)adm.domain --> group
In logfile:
Jul 27 14:23:55 adm-lnx438 nfsidmap[22500]: key: 0x26626a54 type: uid value: ausr@nat.domain(a)adm.domain timeout 600
Jul 27 14:23:55 adm-lnx438 nfsidmap[22500]: nfs4_name_to_uid: calling sss_nfs->name_to_uid
Jul 27 14:23:55 adm-lnx438 nfsidmap[22500]: user ausr@nat.domain(a)adm.domain not in memcache
Jul 27 14:23:56 adm-lnx438 nfsidmap[22500]: sss_nfs_name_to_uid: rc=2 msg=No such file or directory
Jul 27 14:23:56 adm-lnx438 nfsidmap[22500]: nfs4_name_to_uid: sss_nfs->name_to_uid returned -2
Jul 27 14:23:56 adm-lnx438 nfsidmap[22500]: nfs4_name_to_uid: final return value is -2
Jul 27 14:23:56 adm-lnx438 nfsidmap[22500]: nfs4_name_to_uid: calling sss_nfs->name_to_uid
Jul 27 14:23:56 adm-lnx438 nfsidmap[22500]: user nobody(a)adm.domain not in memcache
Jul 27 14:23:56 adm-lnx438 nfsidmap[22500]: sss_nfs_name_to_uid: rc=2 msg=No such file or directory
Jul 27 14:23:56 adm-lnx438 nfsidmap[22500]: nfs4_name_to_uid: sss_nfs->name_to_uid returned -2
Jul 27 14:23:56 adm-lnx438 nfsidmap[22500]: nfs4_name_to_uid: final return value is -2
Jul 27 14:23:56 adm-lnx438 nfsidmap[22504]: key: 0x276b113b type: gid value: lnx-primary(a)adm.domain timeout 600
Jul 27 14:23:56 adm-lnx438 nfsidmap[22504]: nfs4_name_to_gid: calling sss_nfs->name_to_gid
Jul 27 14:23:56 adm-lnx438 nfsidmap[22504]: found group lnx-primary(a)adm.domain in memcache
Jul 27 14:23:56 adm-lnx438 nfsidmap[22504]: sss_nfs_name_to_gid: rc=0 msg=Success
Jul 27 14:23:56 adm-lnx438 nfsidmap[22504]: nfs4_name_to_gid: sss_nfs->name_to_gid returned 0
Jul 27 14:23:56 adm-lnx438 nfsidmap[22504]: nfs4_name_to_gid: final return value is 0
----
getent passwd ausr(a)nat.domain
ausr@nat.domain:*:10002:30000000:Ausr :/home/ausr:/bin/bash
id ausr(a)nat.domain
uid=10002(ausr(a)nat.domain) gid=30000000(lnx-primary(a)adm.domain) groups=30000000(lnx-primary@adm.domain),4(adm),24(cdrom),27(sudo),46(plugdev),113(lpadmin),131(lxd),),9002(lnx-xxx-nfs4users2@c.xxx.dk),6666(nfs4users2@nat.domain),30000006(data-adm-lnx-nfs0a-qbl-admin-id-00001@adm.domain),9999(usr-xxx-glu@c.xxx.dk),8888(nfs4users@nat.domain),30000002(lnx-ladm-clients(a)adm.domain)
Any ideas what could happen?
Best
Longina
7 years, 4 months
keyring: disk quota exceeded
by Ondrej Valousek
Hi List,
Or RH-7 box I am getting message like this:
[root@spartacus bin]# kinit
kinit: Disk quota exceeded while getting default ccache
Google gave this: https://bugzilla.redhat.com/show_bug.cgi?id=1017683
Which suggests big keys needs to be enabled for kernel and suggests kernel 3.11
However, RHEL-7 is based on 3.10 kernels - do we know whether big Kerberos keys are supported there?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
7 years, 4 months
