Bug #3131 in the sssd-1.14?
by Ondrej Valousek
Hi, which version from the 1.14 line contains a fix for bug #1313 (fixed in 1.13.5)?
I am running 1.14.0-43 from CentOS-7 and it seems to suffer from the same problem.
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
6 years, 8 months
Shell customization for SSSD users
by me@vitalykarasik.com
We have a few RHEL7 boxes for developers, users are authenticated with SSSD against AD.
Each developer has his/her own Linux machine, all Linuxes are managed by Puppet.
Till now all users used BASH ("default_shell = /bin/bash").
Now we have a few users which want ZSH. Because we'd like to keep sssd.conf standard on all linuxes, we thought about use something like:
allowed_shells = /bin/zsh,/bin/bash
shell_fallback = /bin/bash
So if certain linux box has ZSH installed, user will get it; else it will use BASH.
We tried this config, and played with other shell-related config params - nothing work.
Users receive /bin/sh instead of bash and zsh.
Any ideas?
TIA,
Vitaly
6 years, 8 months
wbinfo-like tool for sssd
by smfrench@gmail.com
When debugging sssd it would be nice to be able to do various operations that getent can't do (e.g. 'name-to-sid' or 'sid-to-uid' etc.) or nss is not configured to do (testing that auth works e.g.) and the wbinfo tools has a pretty good list of the typical things that an admin or developer would want to do to test sssd or winbind, but ... I couldn't find an sssd equivalent of wbinfo and it looks like this is a know issue, e.g. I saw this thread http://serverfault.com/questions/795004/what-is-the-sssd-equivalent-for-w... and others.
Is there any work in progress on an sssd equivalent of wbinfo?
6 years, 8 months
hbac_eval_user_element timing
by Lachlan Musicman
What controls how long hbac_eval_user_element waits for responses?
Is is [pam] pam_id_timeout or [nss] memcache_timeout or other?
I am still seeing a disconnect between how many groups a person is in and
how many hbac_eval_user_element is returning, and I was wondering if it was
a timeout issue.
cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
6 years, 8 months
NT_STATUS_LOGON_FAILURE on Debian 9 with kerberos and sssd libwbclient
by Martin Scott
Hi,
I have Debian 9 samba installed with sssd.
Samba Version 4.5.6-Debian
SSSD 1.15.0
I have configured samba to use the sssd libwbclient but keep get a login failure for valid user name and password when using smbclient -k
I can't work out why this is happening, any help would be greatly appreciated.
Log snippet below
[2017/03/24 09:03:00.756770, 5, pid=1814, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/03/24 09:03:00.756775, 5, pid=1814, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/03/24 09:03:00.756785, 4, pid=1814, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/03/24 09:03:00.756790, 1, pid=1814, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session setup: NT_STATUS_LOGON_FAILURE
[2017/03/24 09:03:00.756803, 5, pid=1814, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order)
check lock order 1 for smbXsrv_session_global.tdb
[2017/03/24 09:03:00.756808, 10, pid=1814, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:114(debug_lock_order)
lock order: 1:smbXsrv_session_global.tdb 2:<none> 3:<none>
[2017/03/24 09:03:00.756817, 10, pid=1814, effective(0, 0), real(0, 0)] ../source3/lib/dbwrap/dbwrap_ctdb.c:1064(fetch_locked_internal)
Locking db 1795596909 key 18669855
[2017/03/24 09:03:00.756832, 10, pid=1814, effective(0, 0), real(0, 0)] ../source3/lib/ctdbd_conn.c:617(ctdbd_control)
ctdbd_control: Sending ctdb packet reqid=84, vnn=4026531841, opcode=128, srvid=1795596909
len=100, magic=43544442, vers=1, gen=0, op=7, reqid=84
[2017/03/24 09:03:00.756854, 5, pid=1814, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor)
release lock order 1 for smbXsrv_session_global.tdb
[2017/03/24 09:03:00.756860, 10, pid=1814, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:114(debug_lock_order)
lock order: 1:<none> 2:<none> 3:<none>
[2017/03/24 09:03:00.756865, 10, pid=1814, effective(0, 0), real(0, 0)] ../source3/lib/dbwrap/dbwrap_ctdb.c:932(db_ctdb_record_destr)
Unlocking db 1795596909 key 18669855
[2017/03/24 09:03:00.756891, 3, pid=1814, effective(0, 0), real(0, 0)] ../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
6 years, 8 months
Multiple Active Directory Domain Controllers - what if one is down ...
by smfrench@gmail.com
In testing using "realm join" to join an Active Directory domain with two domain controllers, we ran into a problem where "realm join" would fail when one of the two Domain Controllers were down. It looks like in a common case where nslookup shows two entries for myrealm.ad.test but the first one is down (can't ping it), that realmd doesn't try the second one automatically - but rather fails the 'realm join'
6 years, 8 months
realm join and net join incompatibilities
by smfrench@gmail.com
In tracing through problems with realm join (in a Samba/ctdb cluster), I was noticing that realm join implicitly calls 'net ads join' (which should be a good thing) but it passes '-s' with a temporary smb.conf to 'net ads join' (which is a bad thing since it leaves out clustering=yes and the include=registry). What I was noticing was that to get sssd AND Samba to work after 'realm join' you had to run 'net ads join' (explicitly) on at least one node of the cluster (but that is risky because then sssd doesn't know about the keytab update that 'net ads join' just did). If you don't run 'net ads join' after 'realm join' - Samba will fail because it doesn't think it is joined to a domain (so session setups to it will get a 'NO_LOGON_SERVER' error, and 'net ads testjoin' will show it is not joined as well) - presumably because the 'net ads join' that realmd does implicitly on 'realm join' has the wrong smb.conf passed in to it (with no clustering). Comparing traces of the two joins -
the main difference I see is that there are no ctdb related events logged in the 'realm join' implicitly called 'net ads join' (and secrets.tdb is missing the entry for the domain on all nodes).
Any thoughts of 1) how to force 'realm join' to use a better smb.conf rather than the temporary one it chooses during 'net ads join' or 2) how to safely do a 'net ads join' after 'realm join' (and not confuse sssd)?
6 years, 8 months
Announcing SSSD 1.15.2
by Jakub Hrozek
SSSD 1.15.2
===========
The SSSD team is proud to announce the release of version 1.15.2 of the
System Security Services Daemon.
The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
--------
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
----------
* It is now possible to configure certain parameters of a trusted domain
in a configuration file sub-section. In particular, it is now possible
to configure which Active Directory DCs the SSSD talks to with a
configuration like this::
[domain/ipa.test]
# IPA domain configuration. This domain trusts a Windows domain win.test
[domain/ipa.test/win.test]
ad_server = dc.win.test
* Several issues related to socket-activating the NSS service, especially
if SSSD was configured to use a non-privileged userm were fixed.
The NSS service now doesn't change the ownership of its log files to
avoid triggering a name-service lookup while the NSS service is not
running yet. Additionally, the NSS service is started before any other
service to make sure username resolution works and the other service
can resolve the SSSD user correctly.
* A new option "cache_first" allows the administrator to change the way
multiple domains are searched. When this option is enabled, SSSD will
first try to "pin" the requested name or ID to a domain by searching
the entries that are already cached and contact the domain that contains
the cached entry first. Previously, SSSD would check the cache and the
remote server for each domain. This option brings performance benefit
for setups that use multiple domains (even auto-discovered trusted
domains), especially for ID lookups that would previously iterate over
all domains. Please note that this option must be enabled with care as the
administrator must ensure that the ID space of domains does not overlap.
* The SSSD D-Bus interface gained two new methods:
"FindByNameAndCertificate" and "ListByCertificate". These methods
will be used primarily by IPA and
`mod_lookup_identity <https://github.com/adelton/mod_lookup_identity/>
to correctly match multple users who use the same certificate for Smart
Card login.
* A bug where SSSD did not properly sanitize a username with a newline
character in it was fixed.
Packaging Changes
-----------------
None in this release
Documentation Changes
---------------------
* A new option "cache_first" was added. Please see the Highlights
section for more details
* The "override_homedir" option supports a new template expansion "l"
that expands to the first letter of username
Tickets Fixed
-------------
Please note that due to a bug in the pagure.io tracker, some tickets that
have dependencies set to other tickets cannot be closed at the moment.
* <https://pagure.io/SSSD/sssd/issue/3317> - Newline characters (\n) must be sanitized before LDAP requests take place
* <https://pagure.io/SSSD/sssd/issue/3316> - sssd-secrets doesn't exit on idle
* <https://pagure.io/SSSD/sssd/issue/3314> - sssd ignores entire groups from proxy provider if one member is listed twice
* <https://pagure.io/SSSD/sssd/issue/3164> - when group is invalidated using sss_cache dataExpireTimestamp entry in the domain and timestamps cache are inconsistent
* <https://pagure.io/SSSD/sssd/issue/2668> - [RFE] Add more flexible templating for override_homedir config option
* <https://pagure.io/SSSD/sssd/issue/2599> - Make it possible to configure AD subdomain in the server mode
* <https://pagure.io/SSSD/sssd/issue/3322> - chown in ExecStartPre of sssd-nss.service hangs forever
* <https://pagure.io/SSSD/sssd/issue/843> - Login time increases strongly if more than one domain is configured
* <https://pagure.io/SSSD/sssd/issue/2320> - use the sss_parse_inp request in other responders than dbus
Detailed Changelog
------------------
* Fabiano Fidêncio (7):
* RESPONDER: Wrap up the code to setup the idle timeout
* SECRETS: Shutdown the responder in case it becomes idle
* CACHE_REQ: Move cache_req_next_domain() into a new tevent request
* CACHE_REQ: Check the caches first
* NSS: Don't set SocketUser/SocketGroup as "sssd" in sssd-nss.socket
* NSS: Ensure the NSS socket is started before any other services' sockets
* NSS: Don't call chown on NSS service's ExecStartPre
* Ignacio Reguero (1):
* UTIL: first letter of user name template for override_homedir
* Jakub Hrozek (9):
* Updating the version for the 1.15.2 release
* Allow manual start for sssd-ifp
* NSS: Fix invalidating memory cache for subdomain users
* UTIL: Add a new macro SAFEALIGN_MEMCPY_CHECK
* UTIL: Add a generic iobuf module
* BUILD: Detect libcurl during configure
* UTIL: Add a libtevent libcurl wrapper
* TESTS: test the curl wrapper with a command-line tool
* Updating the translations for the 1.15.2 release
* Justin Stephenson (1):
* MAN: Add dyndns_auth option
* Lukas Slebodnik (3):
* test_secrets: Fail in child if sssd_secrets cannot start
* test_utils: Add test coverage for %l in override_homedir
* util-test: Extend unit test for sss_filter_sanitize_ex
* Michal Židek (4):
* data_provider: Fix typo in DEBUG message
* SUBDOMAINS: Configurable search bases
* SUBDOMAINS: Allow options ad(_backup)_server
* MAN: Add trusted domain section man entry
* Pavel Březina (4):
* cache_req: use rctx as memory context during midpoint refresh
* CACHE_REQ: Make "cache_req_{create_and_,}add_result()" more generic
* CACHE_REQ: Move result manipulation into a separate module
* CACHE_REQ: shortcut if object is found
* Petr Čech (2):
* sss_cache: User/groups invalidation in domain cache
* PROXY: Remove duplicit users from group
* Sumit Bose (7):
* sysdb: allow multiple results for searches by certificate
* cache_req: allow multiple matches for searches by certificate
* ifp: add ListByCertificate
* ifp: add FindByNameAndCertificate
* PAM: allow muliple users mapped to a certificate
* nss: ensure that SSS_NSS_GETNAMEBYCERT only returns a unique match
* IPA: get overrides for all users found by certificate
* Thorsten Scherf (1):
* Fixed typo in debug output
* Victor Tapia (1):
* UTIL: Sanitize newline and carriage return characters.
6 years, 8 months
sssd sasl/gssapi Authentication through NAT
by knauf@patronas.com
Hello,
I have a Problem to auth. the identity of a principal to a NAT'ed
Server via gssapi.
Our KDC/LDAP is externally available through a NAT_IP (and NAT_HOSTNAME)
The Connection to the Server looks fine:
------------------------------------------
nc -v NAT_IP 389
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to NAT_IP:389.
------------------------------------------
relevant part of: /etc/sssd/sssd.conf
------------------------------------------
[domain/XXXXX.XX]
ldap_sasl_mech = gssapi
ldap_sasl_authid = host/FQDN_HOST
ldap_sasl_canonicalize = false
ldap_user_principal = userPrincipalName
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
ldap_krb5_ticket_lifetime = 86400
sudo_provider = ldap
access_provider = ldap
ldap_access_order = host
------------------------------------------
After restarting the sssd Daemon, i got the following Error Message
(sssd_DOMAIN.log):
------------------------------------------
[sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user:
host/FQDN_HOST
[sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
[sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (Server not found in Kerberos database)]
[sdap_cli_connect_recv] (0x0040): Unable to establish connection
[1432158225]: Authentication Failed
[_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING.
Called from: src/providers/ldap/sdap_async_connection.c:
sdap_cli_connect_recv: 2048
[fo_set_port_status] (0x0100): Marking port 389 of server 'NAT_IP' as
'not working'
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server
'NAT_IP' as 'not working
------------------------------------------
After spending some time to this Problem, i could limit the Problem to a
DNS reverse lookup Problem during the gssapi authentication.
If i set the following entry into /etc/hosts all works fine, but this
Solution is not practicable for me:
NAT_IP REAL_HOSTNAME
Perhaps you have some clues for me to solve this Problem?
Thanks & greets
Steffen
6 years, 8 months
Separation of access by domain groups for different server services
by Aleksey Maksimov
Hello SSSD guru's !
Need your advice.
Current configuration on my web-server:
# hostnamectl
____________________________________________________________________________
Operating System: Debian GNU/Linux 8 (jessie)
Kernel: Linux 3.16.0-4-amd64
Architecture: x86-64
# sssd --version
____________________________________________________________________________
1.11.7
# cat /etc/sssd/sssd.conf
____________________________________________________________________________
[sssd]
domains = ad.holding.com
config_file_version = 2
services = nss, pam
default_domain_suffix = ad.holding.com
[domain/ad.holding.com]
ad_server = dc01.ad.holding.com, dc02.ad.holding.com
ad_backup_server = dc05.ad.holding.com, dc07.ad.holding.com
ad_domain = ad.holding.com
krb5_realm = AD.HOLDING.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_use_tokengroups = False
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = simple
subdomains_provider = none
ldap_idmap_default_domain_sid = S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
simple_allow_groups = SRV-Linux-Servers-Administrators(a)ad.holding.com
# cat /etc/pam.d/common-account | grep sss
____________________________________________________________________________
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# cat /etc/pam.d/common-auth | grep sss
____________________________________________________________________________
auth [success=1 default=ignore] pam_sss.so use_first_pass
# cat /etc/pam.d/common-password | grep sss
____________________________________________________________________________
password sufficient pam_sss.so use_authtok
# cat /etc/pam.d/common-session | grep sss
____________________________________________________________________________
session optional pam_sss.so
Now with this configuration everything is working fine.
Only users of the domain group "SRV-Linux-Servers-Administrators(a)ad.holding.com" can log in to the server.
Now I need to allow connection to the server (Kerberos SSO to web site on Apache) for other domain users.
New domain group "SRV-WebServer-Operators(a)ad.holding.com" must connect to the Apache web server. But these users can not login on the server.
That is, users of group "SRV-WebServer-Operators" are not in group "SRV-Linux-Servers-Administrators"
Please tell me how, with the help of the SSSD/PAM/NSS, to properly restrict access in this situation.
So far I've created a custom PAM-service:
# cat /etc/pam.d/apache2-operators
auth required pam_sss.so
account required pam_sss.so
And I set up a web server to use this PAM-service.
Here is a snippet of the working configuration of the web server:
...
<Directory "/sub/folder">
#
# Kerberos SSO auth with PAM authz
#
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/apache2/Apache-AD-Krb.keytab
KrbAuthRealms AD.HOLDING.COM
KrbMethodK5Passwd off
# Require valid-user
Require pam-account apache2-operators
#
...
</Directory>
...
Access to the site works if the user enters both the group "SRV-Linux-Servers-Administrators"
But if the user does not belong to group "SRV-Linux-Servers-Administrators" then he can not connect to the site.
How can I allow a user from group "SRV-WebServer-Operators" to connect to the site, but not allow logging in to the server?
6 years, 8 months
