March 2017 - sssd-users - Fedora Mailing-Lists

by zfnoctis＠gmail.com

Hi, I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases. Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment. Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows. Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems. I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways. Thanks for your time.

1 year, 9 months

6
29
3 / 0

Enumerate users from external group from AD trust

by Bolke de Bruin

Hello, I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain. One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using “getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not: [root@master centos]# getent group ad_users ad_users:*:1950000004: [root@master centos]# id bolke(a)ad.local UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local) [root@master centos]# getent group ad_users ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local> If I clear the cache (sss_cache -E) the entry is gone again: [root@master centos]# getent group ad_users ad_users:*:1950000004: My question is how do I get sssd to enumerate *all users* in a group consistently? Thanks! Bolke * https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...

4 years

3
15
0 / 0

Does anyone use id_provider=local ?

by Jakub Hrozek

Hi, are there any SSSD users who actively use a configuration with: id_provider=local ? If so, what is your use-case? We're considering deprecating and eventually removing this provider upstream. The replacemant for id_provider=local would be id_provider=files: https://fedorahosted.org/sssd/wiki/DesignDocs/FilesProvider which is already under review and later extension of the SSSD's D-Bus interface to allow manipulating custom user attributes. My current plan for deprecating the local provider is to only build the provider and the tools around it if a configure-time flag is provided. This flag would be disabled by default. Then, if noone complains, eventually just remove the code.

6 years, 1 month

3
5
0 / 0

Authenticating to RODC using SSSD

by Abhijit Tikekar

Hi, Has anyone had any success while setting up SSSD with RODC AD Server? We are setting this up on CentOS 6.8 machines but doesn't seem to work. Computer object is created and replicated to RODC. Verified that all configuration file parameters are identical to the ones mentioned in the link below. https://access.redhat.com/discussions/2838371 I assume we still have to join the server to RODC? Is the joining process still the same as we do for a Writable DC. When using "net ads join" I get the following error: Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) in the logs, we also get the following( Debug level set to 7) (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for testdmzlin(a)X.Y.LOCAL in default keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching testdmzlin(a)X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching TESTDMZLIN$(a)X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/testdmzlin(a)X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching *$(a)X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/*(a)X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/*@(null) found in keytab. But if i try to query this RODC using "ldapsearch" it works. ldapsearch -H ldap://RODC_ServerName.x.y.local/ -Y GSSAPI -N -b "dc=x,dc=y,dc=local" "(&(objectClass=user)(sAMAccountName=firstname.lastname))" What else can I check to troubleshoot this issue? Thanks, ~ Abhi

6 years, 6 months

3
12
0 / 0

'no primary group ID provided' when trying to use ldap mode against AD

by Daniel Hermans

Hi, i'd like to use sssd in ldap mode against Active Directory so I have defined: id_provider = ldap auth_provider = ldap Yes krb5 would be better but i only have a BIND account and cannot add computer objects. This 'should' be possible - it works with nslcd. As I don't have Posix attributes i'm using: ldap_id_mapping = true fallback_homedir = /home/%d/%u default_shell = /bin/bash sssd can bind with LDAPS and can seem to get user info from the domain: (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Some User,OU=Admin Accounts,DC=dev,DC=somedomain,DC=com]. (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_result] (0x2000): Trace: sh[0x7f5d15fbc030], connected[1], ops[0x7f5d1639d140], ldap[0x7f5d15fb5cd0] (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_op_destructor] (0x2000): Operation 3 finished (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users The UID mapping seems to succeed: (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Save user (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x4000): Failed to retrieve UUID [2][No such file or directory]. (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_primary_name] (0x0400): Processing object someuser (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Processing user someuser (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x1000): Mapping user [someuser] objectSID [S-1-5-21-3970895924-989261097-3267629119-1443] to unix ID But it gets no further with this message: (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_idmap_primary_gid] (0x0080): no primary group ID provided (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Cannot get the GID for [someuser] in domain [extdev]. (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Failed to save user [someuser] (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring. Have tried against two different domains with identical result ( one a cleanly installed 2012R2 domain ). Any ideas what I'm doing wrong? Is this possible? Various (old) posts suggests it is. This was first (incorrectly) posted to sssd-devel, Jakub Hrozek updated and told me to define ldap_idmap_default_domain_sid so sssd no longer reports this: (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain Thanks in advance!!

6 years, 7 months

4
9
0 / 0

adcli -v info SEGVs

by Joakim Tjernlund

On and off I see adcli 0.8.2 SEGV, I can provoke SEGV using adcli -v info INFINERA.COM: adcli -v info INFINERA.COM * Discovering domain controllers: _ldap._tcp.INFINERA.COM * Sending netlogon pings to domain controller: cldap://10.120.34.22 * Sending netlogon pings to domain controller: cldap://10.220.32.12 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Sending netlogon pings to domain controller: cldap://10.210.0.22 * Sending netlogon pings to domain controller: cldap://10.120.34.21 * Received NetLogon info from: PA-DC02.infinera.com ! Could not parse NetLogon discovery data Segmentation fault (core dumped) adcli -v info INFINERA.COM * Discovering domain controllers: _ldap._tcp.INFINERA.COM * Sending netlogon pings to domain controller: cldap://10.100.98.21 * Sending netlogon pings to domain controller: cldap://10.100.130.21 * Sending netlogon pings to domain controller: cldap://10.120.34.22 * Sending netlogon pings to domain controller: cldap://10.220.32.12 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Received NetLogon info from: SV-DC01.infinera.com * Received NetLogon info from: SV-DC03.infinera.com * Received NetLogon info from: PA-DC02.infinera.com ! Could not parse NetLogon discovery data Segmentation fault (core dumped) and here is one that didn't SEGV: adcli -v info INFINERA.COM * Discovering domain controllers: _ldap._tcp.INFINERA.COM * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Sending netlogon pings to domain controller: cldap://10.220.0.11 * Sending netlogon pings to domain controller: cldap://10.100.130.21 * Sending netlogon pings to domain controller: cldap://10.220.32.14 * Sending netlogon pings to domain controller: cldap://10.220.32.12 * Received NetLogon info from: se-dc01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = se-dc01.infinera.com in-dc01.infinera.com sv-dc03.infinera.com ch-dc02.infinera.com ch- dc01.infinera.com sv-dc02.infinera.com uk-dc01.infinera.com in-dc02.infinera.com md-dc01.infinera.com sv- dc01.infinera.com sv-dc04.infinera.com pa-dc02.infinera.com md-dc02.infinera.com pa-dc01.infinera.com se- dc02.infinera.com [computer] computer-site = Sweden Any ideas?

6 years, 8 months

2
4
0 / 0

Weird issue with SSSD and OCSERV

by Michael Leer

I getting a weird issue with SSSD, we are using SSSD for AD auth, we are using ocserv for VPN and it doesn't always appear to check SSSD, I am seeing it check PAM_unix get the auth failure and then simply return the failure instead of trying SSSD, if I restart the service then for a few requests will use PAM_sss (SSSD) and then will begin to simply use pam_unix again When I restart the service it appears to work correctly for a moment Mar 29 16:42:31 ip-10-0-21-4 m[10038]: pam_unix(ocserv:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=X.X.X.X user=UserY Mar 29 16:42:32 ip-10-0-21-4 m[10038]: pam_sss(ocserv:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=X.X.X.X user=UserY Then it will get the following after a few minutes Mar 29 17:03:03 ip-10-0-21-4 m[10038]: pam_unix(ocserv:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=X.X.X.X user=UserX Mar 29 17:03:05 ip-10-0-21-4 m[10038]: PAM authenticate error: Authentication failure Mar 29 17:03:05 ip-10-0-21-4 m[10038]: PAM-auth pam_auth_pass: Authentication failure michael.leer(a)crownpeak.com Switchboard:+44 (0)20 7019 4700 crownpeak.com Forrester Wave for WCM 2017 Crownpeak, Studio 1001 Highgate Studios, 53-79 Highgate Road, London, NW5 1TL Registered in England: No. 3592714, VAT No. 625574723

6 years, 8 months

2
1
0 / 0

KRB5CCNAME hardcoded?

by Joakim Tjernlund

I have tried to set KRB5CCNAME to something predicable, both in sssd.conf(krb5_ccname_template = FILE:/tmp/krb5cc_:%U) and krb5.conf(default_ccache_name = FILE:/tmp/krb5cc_%{uid}) but what ever I do KRB5CCNAME reads: KRB5CCNAME=FILE:/tmp/krb5cc_<UID>_ryxWRPDHZD Is the name hardcoded nowadays(in sssd 1.15.2)? Jocke

6 years, 8 months

2
5
0 / 0

sssd on wheezy

by mourik jan heupink

Hi, I'm trying to get sssd 1.8.4 (comes with debian wheezy) to work with samba4. As this is an older sssd version, I'll have to use the ldap modus, and not the AD config. As I'm having trouble using the GSSAPI keytab (sssd logs "failed to connect, going offline") I would like to attempt simpler DN/password authentication. Your docs talk about it, so I guess the option exists: > https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate... My question: would anyone be willing to share an sssd.conf that works with samba4/rfc2307bis AD DCs, but using password authentication? (Or can anyone point me to a doc where this is explained?) Best regards, MJ

6 years, 8 months

2
3
0 / 0

applies override_homedir dynamically

by Yunchih Chen

Hi friends: I'm managing a workstation where user home directories are mounted from a NFS server. Sometimes the NFS server goes down and user gets stuck when she tries to login with ssh. We have a daemon that periodically checks the health of NFS server. If it goes down, we'd like to apply the "override_homedir" option to override home directory string from LDAP into some local directory like /tmp so that user can still login, despite lack of home directory. It seems that whenever I add/remove the "override_homedir" to/from sssd.conf, I must restart the sssd daemon. I wonder if I can ask sssd daemon to dynamically reload without a restart? Or do you have better solution for this scenario? Thank you!!

6 years, 8 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users March 2017