uid -> sid mapping in Samba with sssd
by smfrench@gmail.com
It wasn't obvious from the documentation whether with sssd-libwbclient (only, ie without sssd-winbind-idmap installed and configured in smb.conf, since sssd-winbind-idmap is not available in most versions of RHEL7 as it was only recently added),
Samba's uid_to_sid(function) can always do the lookup uid_to_sid to AD if using winbind but it wasn't clear whether this would work with sssd-libwbclient (only) installed and what additional Samba configuration is needed for that.
Without this the owner of a file (viewed from the WIndows client) from Explorer GUI looks like
"Unix user\10000" rather than "user@domain" (as it would for Windows to Windows, or if Winbind were running on the Samba server joined to AD)
7 years, 2 months
sssd and clustering/ctdb
by smfrench@gmail.com
We were noticing some strange problems in two node clustered (ctdb/samba) sssd, cases in which both nodes joined AD fine, but "getent passwd <username>" worked for only a subset of the remote AD users on one node, but worked fine on the other. The config seemed to be identical on the two nodes - didn't see any obvious problems with sssd configuration, but clearly the two nodes behave differently.
Are there instructions on setting up sssd in clustered environment (e.g. presumably similar to the clustered ctdb/samba/ceph or gluster that RHEL might ship)? or for the clustered case is it safer to simply use winbind?
7 years, 2 months
sssd error message help
by Galen Johnson
Hey,
I'm getting this message pretty often...
(Thu Jan 26 21:23:03 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.NotSupported]
I get it in pam and nss services...could someone suggest which log level I should enable to figure out what the actual message is that sssd doesn't like? Best I can tell, these really started to show up after we updated to Centos 7.3 but the logs have rolled off so I can't say that definitively. It appears that users aren't necessarily being impacted but I don't like mysteries in my logs.
thanks
=G=
Note: I've tried bumping to 0x1010.
?
7 years, 2 months
excessive number of adcli-krb5 tmp files
by smfrench@gmail.com
I noticed that on one of our test systems running sssd we have about 150 /tmp/adcli-krb5-* files (they already take up about 600K after a few days) and have contents similar to a krb5.conf file snippet
# cat /tmp/adcli-krb5-a1klQy/krb5.d/adcli-krb5-conf-sM7Ia1
[realms]
VWQA.LOCAL = {
kdc = vwqadc02.vwqa.local:88
master_kdc = vwqadc02.vwqa.local:88
kpasswd_server = vwqadc02.vwqa.local
}
[domain_realm]
vwqadc02.vwqa.local = VWQA.LOCAL
vwqadc02.vwqa.local = VWQA.LOCAL
Any idea why there are so many of them - and what keeps creating them?
7 years, 2 months
SSSD and username > 32 Characters
by Ali, Saqib
Hello,
We would like to setup SSSD to use AD for User Authentication and
Kerberos for our Linux environment. The User Principal Names (UPN) in
our Active Directory exceed 32 characters occasionally. Will that
cause any issues? On the surface it doesn't look like SSSD will have
any issues. I am able to login with at 56 Character UPM.
Thanks,
Saqib
----
7 years, 2 months
coexist with nscd... :-/
by Michael Ströder
HI!
I vaguely remember a statement here that one should always disable nscd on a system
running sssd. After chasing an issue on a customer system today I can confirm this. I
always uninstall nscd from all my own systems.
Therefore I'm considering to let my ansible role (used for configuring Æ-DIR clients)
strictly disable nscd. Does that make sense?
Caveat: Some people might want to let nscd cache other maps not handled by sssd (e.g.
hosts). Any recommendations to tweak /etc/nscd.conf to let nscd coexist with sssd?
These lines could probably be a good start:
enable-cache passwd no
enable-cache group no
Any other hints?
Ciao, Michael.
7 years, 2 months
sssd states service is not responding to pings
by jsl6uy js16uy
Hello all, hope all is well
Seeing an odd issue on a host. Periodically sssd will state it can't ping
the domain...well the service named the same as the domain....and then
shutdown and restart. Users can't auth and login till the service restarts.
So this effectively restricts access to hosts to filtered users like root
Windows DCs are available the whole time. See nothing untoward in a pcap
during that time. Also, since we've been having these issues, the host has
not been used for prod duty, so lightly loaded, during these sssd
disconnects. Really see heavy traffic to the DCs during the issue.
What does it mean for a service ping to timeout in sssd speak? Service on
the dbus?
Posted snippets from journalctl/sssd logs/sssd.conf all below
thanks in advance, any and all help would be appreciated
host is ubuntu xenial
from journalctl......from the event today
Jan 18 12:51:55 X sssd[41083]: Killing service [foo], not responding to
pings!
Jan 18 12:52:08 X sshd[104273]: fatal: Access denied for user srv_ti by PAM
account configuration [preauth]
Jan 18 12:52:52 X sshd[104298]: Connection closed by 99.99.99.99 port 60245
[preauth]
Jan 18 12:52:55 X sssd[41083]: [foo][41084] is not responding to SIGTERM.
Sending SIGKILL.
Jan 18 12:52:55 X sssd[be[104300]: Starting up
sssd_log today at debug 9 set in sssd.conf
>>>>>>
(Wed Jan 18 12:51:05 2017) [sssd] [ping_check] (0x2000): Service foo
replied to ping
(Wed Jan 18 12:51:05 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe15880
(Wed Jan 18 12:51:05 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe109f0
(Wed Jan 18 12:51:05 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 12:51:05 2017) [sssd] [ping_check] (0x2000): Service nss
replied to ping
(Wed Jan 18 12:51:05 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe14540
(Wed Jan 18 12:51:05 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe11ac0
(Wed Jan 18 12:51:05 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 12:51:05 2017) [sssd] [ping_check] (0x2000): Service pam
replied to ping
(Wed Jan 18 12:51:15 2017) [sssd] [service_send_ping] (0x2000): Pinging foo
(Wed Jan 18 12:51:15 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe14540
(Wed Jan 18 12:51:15 2017) [sssd] [service_send_ping] (0x2000): Pinging nss
(Wed Jan 18 12:51:15 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe15880
(Wed Jan 18 12:51:15 2017) [sssd] [service_send_ping] (0x2000): Pinging pam
(Wed Jan 18 12:51:15 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe0d600
(Wed Jan 18 12:51:15 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe15880
(Wed Jan 18 12:51:15 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe109f0
(Wed Jan 18 12:51:15 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 12:51:15 2017) [sssd] [ping_check] (0x2000): Service nss
replied to ping
(Wed Jan 18 12:51:15 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe0d600
(Wed Jan 18 12:51:15 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe11ac0
(Wed Jan 18 12:51:15 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 12:51:15 2017) [sssd] [ping_check] (0x2000): Service pam
replied to ping
(Wed Jan 18 12:51:25 2017) [sssd] [service_send_ping] (0x2000): Pinging foo
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe0d600
(Wed Jan 18 12:51:25 2017) [sssd] [service_send_ping] (0x2000): Pinging nss
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe15880
(Wed Jan 18 12:51:25 2017) [sssd] [service_send_ping] (0x2000): Pinging pam
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe09430
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe14540
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe0c370
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 12:51:25 2017) [sssd] [ping_check] (0x0020): A service PING
timed out on [foo]. Attempt [0]
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe15880
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe109f0
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 12:51:25 2017) [sssd] [ping_check] (0x2000): Service nss
replied to ping
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe09430
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe11ac0
(Wed Jan 18 12:51:25 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 12:51:25 2017) [sssd] [ping_check] (0x2000): Service pam
replied to ping
(Wed Jan 18 12:51:35 2017) [sssd] [service_send_ping] (0x2000): Pinging foo
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe09430
(Wed Jan 18 12:51:35 2017) [sssd] [service_send_ping] (0x2000): Pinging nss
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe15880
(Wed Jan 18 12:51:35 2017) [sssd] [service_send_ping] (0x2000): Pinging pam
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe14540
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe15880
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe109f0
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 12:51:35 2017) [sssd] [ping_check] (0x2000): Service nss
replied to ping
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe14540
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe11ac0
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 12:51:35 2017) [sssd] [ping_check] (0x2000): Service pam
replied to ping
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe0d600
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe0c370
(Wed Jan 18 12:51:35 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 12:51:35 2017) [sssd] [ping_check] (0x0020): A service PING
timed out on [foo]. Attempt [1]
(Wed Jan 18 12:51:45 2017) [sssd] [service_send_ping] (0x2000): Pinging foo
(Wed Jan 18 12:51:45 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe0d600
(Wed Jan 18 12:51:45 2017) [sssd] [service_send_ping] (0x2000): Pinging nss
(Wed Jan 18 12:51:45 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe14540
(Wed Jan 18 12:51:45 2017) [sssd] [service_send_ping] (0x2000): Pinging pam
(Wed Jan 18 12:51:45 2017) [sssd] [sbus_add_timeout] (0x2000): 0xe15880
(Wed Jan 18 12:51:45 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe09430
(Wed Jan 18 12:51:45 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe0c370
(Wed Jan 18 12:51:45 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 12:51:45 2017) [sssd] [ping_check] (0x0020): A service PING
timed out on [foo]. Attempt [2]
(Wed Jan 18 12:51:45 2017) [sssd] [sbus_remove_timeout] (0x2000): 0xe14540
(Wed Jan 18 12:51:45 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0xe109f0
(Wed Jan 18 12:51:45 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
This also happen this past Monday evening
>>>
(Mon Jan 16 19:22:30 2017) [sssd] [ping_check] (0x0020): A service PING
timed out on [foo]. Attempt [0]
(Mon Jan 16 19:22:40 2017) [sssd] [ping_check] (0x0020): A service PING
timed out on [foo]. Attempt [1]
(Mon Jan 16 19:22:50 2017) [sssd] [ping_check] (0x0020): A service PING
timed out on [foo]. Attempt [2]
(Mon Jan 16 19:23:00 2017) [sssd] [tasks_check_handler] (0x0020): Killing
service [foo], not responding to pings!
(Mon Jan 16 19:23:00 2017) [sssd] [ping_check] (0x0020): A service PING
timed out on [foo]. Attempt [3]
(Mon Jan 16 19:23:10 2017) [sssd] [ping_check] (0x0020): A service PING
timed out on [foo]. Attempt [4]
(Mon Jan 16 19:24:00 2017) [sssd] [mt_svc_sigkill] (0x0010): [foo][2084] is
not responding to SIGTERM. Sending SIGKILL.
(Mon Jan 16 19:24:00 2017) [sssd] [mt_svc_exit_handler] (0x0040): Child
[foo] terminated with signal [9]
(Mon Jan 16 19:24:00 2017) [sssd] [mt_svc_restart] (0x0400): Scheduling
service foo for restart 1
(Mon Jan 16 19:24:00 2017) [sssd] [get_ping_config] (0x0100): Time between
service pings for [foo]: [10]
(Mon Jan 16 19:24:00 2017) [sssd] [get_ping_config] (0x0100): Time between
SIGTERM and SIGKILL for [foo]: [60]
(Mon Jan 16 19:24:00 2017) [sssd] [start_service] (0x0100): Queueing
service foo for startup
(Mon Jan 16 19:24:00 2017) [sssd] [sbus_server_init_new_connection]
(0x0200): Entering.
(Mon Jan 16 19:24:00 2017) [sssd] [sbus_server_init_new_connection]
(0x0200): Adding connection 0x1588b70.
(Mon Jan 16 19:24:00 2017) [sssd] [sbus_init_connection] (0x0400): Adding
connection 0x1588b70
(Mon Jan 16 19:24:00 2017) [sssd] [sbus_server_init_new_connection]
(0x0200): Got a connection
(Mon Jan 16 19:24:00 2017) [sssd] [monitor_service_init] (0x0400):
Initializing D-BUS Service
(Mon Jan 16 19:24:00 2017) [sssd] [sbus_opath_hash_add_iface] (0x0400):
Registering interface org.freedesktop.sssd.monitor with path
/org/freedesktop/sssd/mon
itor
(Mon Jan 16 19:24:00 2017) [sssd] [sbus_conn_register_path] (0x0400):
Registering object path /org/freedesktop/sssd/monitor with D-Bus connection
(Mon Jan 16 19:24:00 2017) [sssd] [sbus_opath_hash_add_iface] (0x0400):
Registering interface org.freedesktop.DBus.Properties with path
/org/freedesktop/sssd/
monitor
(Mon Jan 16 19:24:00 2017) [sssd] [sbus_opath_hash_add_iface] (0x0400):
Registering interface org.freedesktop.DBus.Introspectable with path
/org/freedesktop/s
ssd/monitor
(Mon Jan 16 19:24:00 2017) [sssd] [client_registration] (0x0100): Received
ID registration: (%BE_foo,1)
(Mon Jan 16 19:24:00 2017) [sssd] [mark_service_as_started] (0x0200):
Marking foo as started.
(Mon Jan 16 19:24:00 2017) [sssd] [mark_service_as_started] (0x0080):
Invalid parent pid: 1963
>>>
sssd.conf
[sssd]
config_file_version = 2
debug_level = 9
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = foo
[nss]
filter_groups = root,
filter_users = root,
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/foo]
enumerate = False
id_provider = ad
chpass_provider = ad
auth_provider = ad
min_id = 1000
ad_hostname = X.us.foo.com
ad_domain = us.foo.com
dyndns_update = false
ldap_id_mapping = false
ldap_user_home_directory = unixHomeDirectory
ldap_user_object_class = user
ldap_group_object_class = top
ldap_group_nesting_level = 5
ldap_group_name = sAMAccountName
ldap_group_search_base =
ou=accounts,dc=us,dc=foo,dc=com?subtree?&(objectClass=top)(!(objectClass=computer))(gidnumber=*)(|(groupType<=0)(&(objectClass=user)(objectCategory=person)(uidNumber=*)))
access_provider = simple
simple_allow_users = appadmin,srv_ti,
simple_allow_groups = SG-MCServices,SG-MTO-SE-Dev,
7 years, 2 months
email logins
by Galen Johnson
Hello,
Many moons ago, I had asked about the ability to allow users to log in with email addresses. It seems my wish was granted with a recent upgrade of sssd (when we updated to RHEL/Cent 7.3?). I don't wish to look a gift horse in the mouth but it is causing some weirdness with some of our applications that are set up to use the host systems to authenticate.
Anyone have any ideas on whether this is a bug (if so, I like it so don't change it :-) )? Or how to fix it so we can disable this "feature" until we can make use of it?
We turned the logs up to 11 and noticed this entry (names have been changed to protect the innocent):
(Tue Jan 17 21:43:11 2017) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName=myuser@example.com)(mail=myuser@example.com)(krbPrincipalName=myuser\\@example.com@MYDOMAIN.EXAMPLE.COM))(objectclass=user)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,ou=production,ou=Customers,dc=mydomain,dc=example,dc=com].
This may not be helpful but I'm curious if there was some new feature introduced to have sssd use the mail address if it "looks like a mail address". sssd was bumped to 1.14.0 based on "sssd --version". My configs haven't changed in a long time (2 years). Please be gentle when commenting on the setup as this was done while still figuring out how to use sssd with help from the community (docs, developers, etc).
[domain/mydomain]
id_provider = ldap
auth_provider = krb5
access_provider = ldap
ldap_use_tokengroups = False
ldap_group_nesting_level = 0
cache_credentials = True
case_sensitive = true
account_cache_expiration = 5
enumerate = False
# for performance
ldap_referrals = False
ldap_id_mapping = False
ignore_group_members = True
# provide the schema for services for unix
ldap_schema = rfc2307bis
ldap_id_use_start_tls = True
ldap_tls_reqcert = allow
ldap_tls_cacertdir = /etc/sssd/certs
ldap_search_timeout = 6
ldap_disable_range_retrieval = False
ldap_default_authtok_type = obfuscated_password
ldap_default_bind_dn = <removed>
ldap_default_authtok = <removed>
ldap_search_base = <removed>?subtree?
ldap_user_search_base = <removed>
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_name = sAMAccountName
ldap_group_search_base = ou=Groups,...
ldap_group_object_class = group
ldap_access_filter = memberOf=cn=enabled,ou=Groups,ou=...
ldap_access_order = filter
ldap_force_upper_case_realm = True
# required
krb5_canonicalize = False
krb5_store_password_if_offline = True
krb5_server = <removed>
krb5_backup_server = <removed>
krb5_realm = MYDOMAIN.EXAMPLE.COM
krb5_renewable_lifetime = 7d
krb5_auth_timeout = 15
krb5_lifetime = 24h
Still digging myself but haven't turned over the relevant rock.
=G=
7 years, 3 months
caching problem
by Thomas Beaudry
Hi,
I have a problem on some of my workstation where they are creating ccache files every 1-3 minutes. Within 10 minute I will have 40 ccache_<DOMAIN>_<random text> all of file size = 0. How can I stop this. I don't have this problem on my other machines?. I tried setting
cache_credentials = false and this doesn't work (and i don't have this setting on the machines that don't suffer from this problem.
Any help would be greatly appreciated!
thanks,
Thomas
7 years, 3 months