sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
1 year, 10 months
Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
4 years
Does anyone use id_provider=local ?
by Jakub Hrozek
Hi,
are there any SSSD users who actively use a configuration with:
id_provider=local ?
If so, what is your use-case?
We're considering deprecating and eventually removing this provider
upstream. The replacemant for id_provider=local would be id_provider=files:
https://fedorahosted.org/sssd/wiki/DesignDocs/FilesProvider
which is already under review and later extension of the SSSD's D-Bus
interface to allow manipulating custom user attributes.
My current plan for deprecating the local provider is to only build the
provider and the tools around it if a configure-time flag is provided.
This flag would be disabled by default. Then, if noone complains,
eventually just remove the code.
6 years, 1 month
Re: kerberos ticket not renewed in 15.2/master
by Lukas Slebodnik
On (22/05/17 06:51), Joakim Tjernlund wrote:
>On Fri, 2017-05-19 at 16:59 +0200, Lukas Slebodnik wrote:
>> On (19/05/17 14:41), Joakim Tjernlund wrote:
>> > On Fri, 2017-05-19 at 16:34 +0200, Lukas Slebodnik wrote:
>> > > On (19/05/17 14:07), Joakim Tjernlund wrote:
>> > > > Will do over the week end
>> > > >
>> > > > >
>> > > > > Please also provide an output of following command
>> > > > > rpm -V sssd-common sssd-krb5-common
>> > > >
>> > > > That is a bit hard as this is Gentoo :)
>> > >
>> > > Ahh sorry;
>> > >
>> > > I cannot see 1.15.2 in portage.
>> > > Which arguments did you pass to configure?
>> >
>> > Sending the ebuilds I use, made by myself as upstream is lagging behind.
>> >
>>
>> Logging to journald is not enabled enabled. So I do not think
>> you fwill find anything in journald :-)
>>
>> sssd is not compiled with non-privileged user therefore
>> it should not cause problems.
>>
>> We will not be able to move it forward without
>> *child log files.
>>
>> LS
>
>Hi again
>
>Got some *child logs now. Can you make something of these?
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [main] (0x0400): ldap_child started.
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [main] (0x2000): context initialized
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [unpack_buffer] (0x1000): total buffer size: 49
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [unpack_buffer] (0x1000): realm_str size: 12
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [unpack_buffer] (0x1000): got realm_str: INFINERA.COM
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [unpack_buffer] (0x1000): princ_str size: 13
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [unpack_buffer] (0x1000): got princ_str: GENTOO-LABBB$
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [unpack_buffer] (0x1000): keytab_name size: 0
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [unpack_buffer] (0x1000): lifetime: 86400
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [unpack_buffer] (0x0200): Will run as [0][0].
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [privileged_krb5_setup] (0x2000): Kerberos context initialized
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [main] (0x2000): Kerberos context initialized
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [become_user] (0x0200): Trying to become user [0][0].
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [become_user] (0x0200): Already user [0].
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [main] (0x2000): Running as [0][0].
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [main] (0x2000): getting TGT sync
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [INFINERA.COM]
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [GENTOO-LABBB$(a)INFINERA.COM]
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.430433: Getting initial credentials for GENTOO-LABBB$(a)INFINERA.COM
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.430585: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, aes128-cts, aes256-cts, rc4-hmac
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.430660: Sending request (203 bytes) to INFINERA.COM
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.430840: Resolving hostname se-dc01.infinera.com
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.431709: Sending initial UDP request to dgram 10.210.34.21:88
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.432672: Received answer (266 bytes) from dgram 10.210.34.21:88
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.432741: Response was not from master KDC
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.432786: Received error from KDC: -1765328359/Additional pre-authentication required
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.432851: Processing preauth types: 16, 15, 19, 2
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.432880: Selected etype info: etype aes256-cts, salt "INFINERA.COMhostgentoo-labbb.infinera.com", params ""
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.432923: Retrieving GENTOO-LABBB$(a)INFINERA.COM from MEMORY:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Success
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.432960: AS key obtained for encrypted timestamp: aes256-cts/645C
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.433059: Encrypted timestamp (for 1495435577.276052): plain 301AA011180F32303137303532323036343631375AA1050203043654, encrypted 08B7186DAB549BD6AC8DCC76C9E88A5FB59619A42672B848C1CF6605E2AB5EFB54D0EDD8B8FC3D9BC154519791BD77F8938FBADEB6C9F65C
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.433087: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.433103: Produced preauth for next request: 2
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.433137: Sending request (283 bytes) to INFINERA.COM
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.433172: Resolving hostname se-dc01.infinera.com
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.433387: Sending initial UDP request to dgram 10.210.34.21:88
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.434554: Received answer (96 bytes) from dgram 10.210.34.21:88
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.434603: Response was not from master KDC
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.434624: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.434636: Request or response is too big for UDP; retrying with TCP
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.434647: Sending request (283 bytes) to INFINERA.COM (tcp only)
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.434665: Resolving hostname se-dc01.infinera.com
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.434807: Initiating TCP connection to stream 10.210.34.21:88
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.435110: Sending TCP request to stream 10.210.34.21:88
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.436061: Received answer (1543 bytes) from stream 10.210.34.21:88
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.436086: Terminating TCP connection to stream 10.210.34.21:88
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.436130: Response was not from master KDC
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.436166: Processing preauth types: 19
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.436180: Selected etype info: etype aes256-cts, salt "INFINERA.COMhostgentoo-labbb.infinera.com", params ""
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.436191: Produced preauth for next request: (empty)
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.436204: AS key determined by preauth: aes256-cts/645C
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.436268: Decrypted AS reply; session key is: aes256-cts/00F2
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.436287: FAST negotiation: unavailable
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_INFINERA.COM_wwO4jb]
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.436396: Initializing FILE:/var/lib/sss/db/ccache_INFINERA.COM_wwO4jb with default princ GENTOO-LABBB$(a)INFINERA.COM
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [sss_child_krb5_trace_cb] (0x4000): [17650] 1495435574.436543: Storing GENTOO-LABBB$(a)INFINERA.COM -> krbtgt/INFINERA.COM(a)INFINERA.COM in FILE:/var/lib/sss/db/ccache_INFINERA.COM_wwO4jb
>
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset
The time is not synchronised between client and server.
MIT krb5 can handle small offset. But I would highly recommends
to keep time in sync.
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [ldap_child_get_tgt_sync] (0x2000): Renaming [/var/lib/sss/db/ccache_INFINERA.COM_wwO4jb] to [/var/lib/sss/db/ccache_INFINERA.COM]
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/db/ccache_INFINERA.COM_wwO4jb]
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/db/ccache_INFINERA.COM_wwO4jb]
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [prepare_response] (0x0400): Building response for result [0]
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [pack_buffer] (0x2000): response size: 60
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [40] msg [FILE:/var/lib/sss/db/ccache_INFINERA.COM]
>(Mon May 22 08:46:14 2017) [[sssd[ldap_child[17650]]]] [main] (0x0400): ldap_child completed successfully
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [main] (0x0400): krb5_child started.
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [unpack_buffer] (0x1000): total buffer size: [154]
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [unpack_buffer] (0x0100): cmd [248] uid [1001] gid [100] validate [true] enterprise principal [false] offline [false] UPN [jocke(a)INFINERA.COM]
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1001] old_ccname: [FILE:/tmp/krb5cc_1001] keytab: [/etc/krb5.keytab]
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [check_use_fast] (0x0100): Not using FAST.
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [switch_creds] (0x0200): Switch user to [1001][100].
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [switch_creds] (0x0200): Switch user to [0][0].
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1001] and is active and TGT is valid.
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [become_user] (0x0200): Trying to become user [1001][100].
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [main] (0x2000): Running as [1001][100].
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [k5c_setup] (0x2000): Running as [1001][100].
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d]
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [set_lifetime_options] (0x0100): Lifetime is set to [24h]
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [main] (0x0400): Will perform ticket renewal
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [renew_tgt_child] (0x1000): Renewing a ticket
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.515585: Retrieving jocke(a)INFINERA.COM -> krbtgt/INFINERA.COM(a)INFINERA.COM from FILE:/tmp/krb5cc_1001 with result: 0/Success
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.515616: Get cred via TGT krbtgt/INFINERA.COM(a)INFINERA.COM after requesting krbtgt/INFINERA.COM(a)INFINERA.COM (canonicalize off)
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.515681: Generated subkey for TGS request: aes256-cts/2D54
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.515747: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.515862: Encoding request body and padata into FAST request
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.515973: Sending request (1901 bytes) to INFINERA.COM
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.516194: Resolving hostname se-dc01.infinera.com
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.516448: Initiating TCP connection to stream 10.210.34.21:88
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.516778: Sending TCP request to stream 10.210.34.21:88
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.517190: Received answer (123 bytes) from stream 10.210.34.21:88
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.517203: Terminating TCP connection to stream 10.210.34.21:88
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.517247: Response was not from master KDC
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [sss_child_krb5_trace_cb] (0x4000): [17652] 1495435574.517270: Got cred; -1765328352/Ticket expired
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [map_krb5_error] (0x0020): 1643: [-1765328352][Ticket expired]
Renewing of a ticket failed because it is already expired.
Maybe due to time shift between client and server(KDC)
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [k5c_send_data] (0x0200): Received error code 1432158229
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [pack_response_packet] (0x2000): response packet size: [4]
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [k5c_send_data] (0x4000): Response sent.
>(Mon May 22 08:46:14 2017) [[sssd[krb5_child[17652]]]] [main] (0x0400): krb5_child completed successfully
There were 5 more attempts to renew tickets within a second.
4 of them failed due to expired ticket. And the last one failed
due to offline mode.
Few seconds later (7) user was authenticated in offline mode.
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [main] (0x0400): krb5_child started.
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [unpack_buffer] (0x1000): total buffer size: [141]
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [unpack_buffer] (0x0100): cmd [241] uid [1001] gid [100] validate [true] enterprise principal [false] offline [true] UPN [jocke(a)INFINERA.COM]
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1001] old_ccname: [FILE:/tmp/krb5cc_1001] keytab: [/etc/krb5.keytab]
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [check_use_fast] (0x0100): Not using FAST.
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [switch_creds] (0x0200): Switch user to [1001][100].
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [switch_creds] (0x0200): Switch user to [0][0].
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1001] and is active and TGT is valid.
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [become_user] (0x0200): Trying to become user [1001][100].
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [main] (0x2000): Running as [1001][100].
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [become_user] (0x0200): Trying to become user [1001][100].
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [become_user] (0x0200): Already user [1001].
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [k5c_setup] (0x2000): Running as [1001][100].
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d]
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [set_lifetime_options] (0x0100): Lifetime is set to [24h]
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [main] (0x0400): Will perform offline auth
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [create_empty_ccache] (0x1000): Existing ccache still valid, reusing
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [k5c_send_data] (0x0200): Received error code 0
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [pack_response_packet] (0x2000): response packet size: [45]
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [k5c_send_data] (0x4000): Response sent.
>(Mon May 22 08:46:21 2017) [[sssd[krb5_child[17694]]]] [main] (0x0400): krb5_child completed successfully
LS
6 years, 4 months
1.15.3/1.16 release timeframe?
by Lachlan Musicman
Hi all,
I noticed a while ago that 1.15.3 was versioned in the repo but I've not
seen anything released? I'm mostly looking on the COPR
(
https://pagure.io/SSSD/sssd/c/012ee7c3fe24a5e75d9b0465268c1bb8187b8337?br...
)
This is purely selfish - I love all that you do, and I'm aware that there
has been some fairly comprehensive infrastructural change.
I'm just waiting on that one fix and have no roadmap visibility :)
cheers
L.
------
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*
6 years, 5 months
Expected one user entry and got 2
by TomK
Hey All,
We're receiving the following message on an older installation of SSSD
and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and
got 2" be thrown and if it's fixed in higher SSSD versions.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
6 years, 5 months
Received error from KDC: -1765328378/Client not found in Kerberos database
by TomK
Hey All,
We are connecting a set of servers directly with AD. The AD computer
object is created for the host and is associated to a service account.
This service account works well with other hosts on the same domain.
Since this is a direct SSSD to AD setup, we are using adcli to establish
a connection to AD.
adcli populates a /etc/krb5.keytab file with a number of entries including:
* Added the entries to the keytab:
host/longhostname-host01.xyz.abc.com(a)COMPANY.COM: FILE:/etc/krb5.keytab
and runs successfully, without errors, to completion. However when
starting up sssd, we see the following in the log files:
.
.
[[sssd[ldap_child[11774]]]] [main] (0x0400): ldap_child started.
[[sssd[ldap_child[11774]]]] [main] (0x2000): context initialized
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): total buffer size: 71
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): realm_str size: 12
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): got realm_str:
COMPANY.COM
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): princ_str size: 35
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): got princ_str:
host/longhostname-host01.xyz.abc.co
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): keytab_name size: 0
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): lifetime: 86400
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x0200): Will run as [0][0].
[[sssd[ldap_child[11774]]]] [privileged_krb5_setup] (0x2000): Kerberos
context initialized
[[sssd[ldap_child[11774]]]] [main] (0x2000): Kerberos context initialized
[[sssd[ldap_child[11774]]]] [become_user] (0x0200): Trying to become
user [0][0].
[[sssd[ldap_child[11774]]]] [become_user] (0x0200): Already user [0].
[[sssd[ldap_child[11774]]]] [main] (0x2000): Running as [0][0].
[[sssd[ldap_child[11774]]]] [main] (0x2000): getting TGT sync
got princ_str: host/longhostname-host01.xyz.abc.com(a)COMPANY.COM
.
.
Principal name is: [host/longhostname-host01.xyz.abc.com(a)COMPANY.COM]
.
.
followed by:
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.219837: Looked up etypes in keytab: des-cbc-crc, des,
des-cbc-crc, rc4-hmac, aes128-cts, aes256-cts
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.219898: Sending request (224 bytes) to COMPANY.COM
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.220151: Initiating TCP connection to stream 1.2.3.4:88
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.222555: Sending TCP request to stream 1.2.3.4:88
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.226128: Received answer from stream 1.2.3.4:88
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.226205: Response was from master KDC
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.226238: Received error from KDC: -1765328378/Client not found
in Kerberos database
Verified that the krb5.keytab has the principal and it matches exactly.
The OS is RHEL 6.7. Wondering if anyone ran into this and what could be
some of the problems that could be causing this? Do we need something
extra to be done on the AD side besides creating the computer object?
We'd take it from there to dig further since I realize I can't provide
all the details without first editing things out as I did above.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
6 years, 5 months
p11_child fails to obtain certificate from yubikey
by tallinn1960@yahoo.de
I am trying to setup a PKINIT/smartcard-based logon scheme using sssd 1.15.1 on Ubuntu 16.04. I am using the opensc-pkcs11 lib to access the smartcard. I have a working pam_krb5 based PKINIT smartcard logon to the KDC. The opensc pkcs11 lib and all relevant ca certificates are installed in the nss database.
However, p11_child is not happy about the yubikey:
➜ ~ sudo /usr/local/libexec/sssd/p11_child -d 9 --nssdb=/etc/pki/nssdb --pre
(Wed Apr 26 17:40:56:522588 2017) [[sssd[p11_child[2677]]]] [main] (0x0400): p11_child started.
(Wed Apr 26 17:40:56:522763 2017) [[sssd[p11_child[2677]]]] [main] (0x2000): Running in [pre-auth] mode.
(Wed Apr 26 17:40:56:522849 2017) [[sssd[p11_child[2677]]]] [main] (0x2000): Running with effective IDs: [0][0].
(Wed Apr 26 17:40:56:522931 2017) [[sssd[p11_child[2677]]]] [main] (0x2000): Running with real IDs [0][0].
(Wed Apr 26 17:40:56:655832 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Default Module List:
(Wed Apr 26 17:40:56:655859 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): common name: [NSS Internal PKCS #11 Module].
(Wed Apr 26 17:40:56:655864 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): dll name: [(null)].
(Wed Apr 26 17:40:56:655869 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): common name: [yubikey].
(Wed Apr 26 17:40:56:655873 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so].
(Wed Apr 26 17:40:56:655877 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Dead Module List:
(Wed Apr 26 17:40:56:655883 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): DB Module List:
(Wed Apr 26 17:40:56:655888 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): common name: [NSS Internal Module].
(Wed Apr 26 17:40:56:655892 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): dll name: [(null)].
(Wed Apr 26 17:40:56:655917 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation �] Manufacturer [Mozilla Foundation �] flags [1].
(Wed Apr 26 17:40:56:655924 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation �] Manufacturer [Mozilla Foundation �] flags [1].
(Wed Apr 26 17:40:56:655929 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Description [Yubico Yubikey 4 OTP+CCID 00 00 OpenSC (www.opensc-project.org) ] Manufacturer [OpenSC (www.opensc-project.org) ] flags [7].
(Wed Apr 26 17:40:56:655940 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Found [PIV_II (PIV Card Holder pin)] in slot [Yubico Yubikey 4 OTP+CCID 00 00][1] of module [2][/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so].
(Wed Apr 26 17:40:56:655946 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Token is NOT friendly.
(Wed Apr 26 17:40:56:655951 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Trying to switch to friendly to read certificate.
(Wed Apr 26 17:40:56:655957 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Login required.
(Wed Apr 26 17:40:56:655961 2017) [[sssd[p11_child[2677]]]] [do_work] (0x0020): Login required but no pin available, continue.
(Wed Apr 26 17:40:56:656102 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): found cert[PIV_II (PIV Card Holder pin):Certificate for PIV Authentication][CN=secadm,UID=4915377]
(Wed Apr 26 17:40:56:656127 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Filtered certificates:
(Wed Apr 26 17:40:56:656132 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): No certificate found.
It looks like the certificate on the key is PIN-protected. Shouldn't p11_child ask for a PIN? Giving p11_child the --pin flag has absolutely no effect.
Any help is welcome.
Thx
6 years, 6 months
user id getting lost
by Thomas Beaudry
?Hi Guys,
I am running into a problem recently where my username is getting lost, and being associated to a number. I disabled reverse DNS in the past based on a suggestion from another sssd user, which seemed to work for awhile.
I set my debug levels to 10, so how can i start debugging this?
Thomas
6 years, 6 months
Samba 4.4, sssd, adcli; windows hosts cannot authenticate
by Steve Dainard
I'm running samba 4.4.4 on el7. I'm attempting to provide a share
auth by Kerberos or for non-kerberos hosts auth by password on Linux
or Windows (7)
clients.
We have uid/gid/group memberships in AD and typically configure
Linux hosts with a kerberos/sssd/ldap configuration which uses
attributes from AD, but are not joined to domain.
I need to be able to automate the domain join with salt stack, so I'm
stuck using adcli to join the machine as it has a plain-text password
option, I then push sssd.conf, /etc/krb5.conf, and /etc/samba/smb.conf
to the samba host.
Thus far I've been able to browse shares from Linux, which
authenticates with Kerberos OK. File/directory perms are respected,
new files are created with proper uid, etc. No complaints on this
side.
When I attempt to connect from a domain joined Windows client I get
prompted for credentials, and domain credentials do not work. It seems
like the id of the user isn't passed through or looked up correctly
after Kerberos auth, and the user is labelled as a guest user. Guest
users are mapped to bad user in samba config. Here's a bit of logging
when the Windows client tries to access a
share: https://pastebin.com/pbEqj9ZR
Configs;
smb.conf: https://pastebin.com/XfeVTCDE
sssd.conf: https://pastebin.com/Z57rRwBw
krb5.conf: https://pastebin.com/JigdxgJ6
Some other interesting tidbits:
DNS is served by el6/bind, not by AD, but the AD srv records exist and
work properly for auto discovery and binding.
The samba server does not have a PTR record, although this seems to be
a requirement for KDC's not members.
The domain is ad.localdomain.com, but hosts (including the samba
server) have fqdn assigned by dhcp as <hostname>.dhcp.localdomain.com.
Any help is appreciated, usually its the Linux client that ends up
being a pain, this is the first time for me a Windows client is having
issues authing.
Thanks,
Steve
6 years, 6 months
