Is it possible for SSSD to handle NTLMSSP authentication somehow?
by Reinaldo Souza Gomes
I know that this is an old topic, but I've seen contradictory answers in different places.
Some topics say that SSSD has no support for NTLM due to its inherently unsecure nature, and will never have.
But others such as this topic(https://bugzilla.redhat.com/show_bug.cgi?id=963341) seem to state that it could be possible through gssntlmssp package.
The reason for my question is that I'm trying to use Samba with SSSD, and its authentication fail when the windows client falls back from kerberos to NTLMv2 for any reason:
[2018/10/10 20:43:32.382948, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [myusername] -> [myusername] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1[2018/10/10 20:43:32.382989, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [MYDOMAIN]\[myusername] at [Wed, 10 Oct 2018 20:43:32.382980 -03] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] workstation [NTB005] remote host [ipv4:192.168.1.1:1914] mapped to [MYDOMAIN]\[myusername]. local host [ipv4:10.1.1.1:445]
Is there anything I can do to make SSSD able to deal with NTLMv2/NTLMSSP?
5 years, 5 months
Lowercase principals on login
by Tom
Is there a way to ensure the principal generated has the lowercase user not an uppercase user showing up in kinit?
Cheers,
Tom
Sent from my iPhone
5 years, 5 months
Intermittent issues with SSH access possibly due to the HBAC rules error
by Bart
Hi all,
I have freeipa setup with 2 replicas and a trust relationship with AD.
Occasionally,for periods of time usually less than half an hour all or a subset of my FreeIPA clients are not available via SSH. For the record, I use SSH keys and no password authentication.
During these downtimes when I access them via local account I can see that user with his groups is resolved correctly (id, getent passwd). sss_ssh_authorizedkeys returns the correct ssh key. Users in question come from AD, they have ssh keys uploaded to the ID override.
I bumped sssd debug_level to 7.
/var/log/secure contains Permission denied:
Oct 19 17:18:52 hostname sshd[18365]: pam_sss(sshd:account): Access denied for user testuser: 6 (Permission denied)
Oct 19 17:18:52 hostname sshd[18366]: fatal: Access denied for user testuser by PAM account configuration
In sssd_pam.log there are entries containing pam_reply called with result [6]: Permission denied.:
Please, consider enabling SELinux in your system.
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe!
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'user' matched without domain, user is user
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): user: user
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.40.159
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 19055
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: user
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_send] (0x0400): CR #21495: New request 'Initgroups by name'
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_process_input] (0x0400): CR #21495: Parsing input name [user]
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'user' matched without domain, user is user
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_set_name] (0x0400): CR #21495: Setting name [user]
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_select_domains] (0x0400): CR #21495: Performing a multi-domain search
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_domains] (0x0400): CR #21495: Search will bypass the cache and check the data provider
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_set_domain] (0x0400): CR #21495: Using domain [win.domain.com]
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_prepare_domain_data] (0x0400): CR #21495: Preparing input data for domain [win.domain.com] rules
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_send] (0x0400): CR #21495: Looking up user(a)win.domain.com
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_ncache] (0x0400): CR #21495: Checking negative cache for [user(a)win.domain.com]
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_ncache] (0x0400): CR #21495: [user(a)win.domain.com] is not present in negative cache
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_dp] (0x0400): CR #21495: Looking up [user(a)win.domain.com] in data provider
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x4158f0:3:user@win.domain.com@win.domain.com]
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [win.domain.com][0x3][BE_REQ_INITGROUPS][name=user@win.domain.com:-]
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x4158f0:3:user@win.domain.com@win.domain.com]
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_cache] (0x0400): CR #21495: Looking up [user(a)win.domain.com] in cache
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_ncache_filter] (0x0400): CR #21495: This request type does not support filtering result by negative cache
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_done] (0x0400): CR #21495: Returning updated object [user(a)win.domain.com]
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_create_and_add_result] (0x0400): CR #21495: Found 239 entries in domain win.domain.com
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x4158f0:3:user@win.domain.com@win.domain.com]
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_done] (0x0400): CR #21495: Finished: Success
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is user(a)win.domain.com
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: win.domain.com
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): user: user(a)win.domain.com
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.40.159
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 19055
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: user
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][win.domain.com]
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied.
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 28
(Fri Oct 19 15:21:38 2018) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Fri Oct 19 15:21:49 2018) [sssd[pam]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Protocol not available].
Inside of sssd_linux.domain.com.log there are corresponding entries (ellipsized):
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=user(a)win.domain.com]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_attach_req] (0x0400): DP Request [Initgroups #23562]: New request. Flags [0x0001].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=user))][cn=Default Trust View,cn=views,cn=accounts,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [user] to IPA server
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null).
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_get_user_done] (0x0400): Received [239] groups in group list from IPA Server
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_get_user_done] (0x0400): [user(a)win.domain.com].
(...)
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_get_user_done] (0x0400): [rule_watcher_development(a)win.domain.com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_get_user_done] (0x0400): [rule_admin_development(a)win.domain.com].
(...)
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=user(a)win.domain.com,cn=users,cn=win.domain.com,cn=sysdb] has set [ts_cache] attrs.
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'member': value #0 on 'name=user(a)win.domain.com,cn=users,cn=win.domain.com,cn=sysdb' already exists]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sysdb_mod_group_member] (0x0400): Error: 17 (File exists)
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [user(a)win.domain.com] to group [name=user(a)win.domain.com,cn=users,cn=win.domain.com,cn=sysdb]. Skipping.
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_done] (0x0400): DP Request [Initgroups #23562]: Request handler finished [0]: Success
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [_dp_req_recv] (0x0400): DP Request [Initgroups #23562]: Receiving request data.
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_initgr_pp_nss_notify] (0x0400): Ordering NSS responder to update memory cache
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_reply_list_success] (0x0400): DP Request [Initgroups #23562]: Finished. Success.
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_reply_std] (0x1000): DP Request [Initgroups #23562]: Returning [Success]: 0,0,Success
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::win.domain.com:name=user@win.domain.com] from reply table
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_destructor] (0x0400): DP Request [Initgroups #23562]: Request removed.
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_pam_handler] (0x0100): Got request with the following data
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): domain: win.domain.com
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): user: user(a)win.domain.com
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): service: sshd
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): tty: ssh
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): ruser:
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): rhost: 172.16.40.159
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): authtok type: 0
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): newauthtok type: 0
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): priv: 1
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): cli_pid: 19055
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): logon name: not set
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_attach_req] (0x0400): DP Request [PAM Account #23563]: New request. Flags [0000].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_access_send] (0x0400): Performing access check for user [user(a)win.domain.com]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [user(a)win.domain.com]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_account_expired] (0x0400): IPA access control succeeded, checking AD access control
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [user(a)win.domain.com]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=hostname.linux.com))][cn=accounts,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [fqdn=hostname.linux.com,cn=computers,cn=accounts,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=hostname.linux.com,cn=computers,cn=accounts,dc=linux,dc=domain,dc=com] using OpenLDAP deref
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base.
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=hostname.linux.com,cn=computers,cn=accounts,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: cn=service_development,cn=hostgroups,cn=accounts,dc=linux,dc=domain,dc=com
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: cn=service_development,cn=ng,cn=alt,dc=linux,dc=domain,dc=com
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=600c5bb8-9640-11e8-97b4-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=63673c38-9640-11e8-b757-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=a72ca9bc-9640-11e8-b757-02699e009f10,cn=sudorules,cn=sudo,dc=linux,dc=domain,dc=com
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: service_development
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linux,dc=domain,dc=com][2][(objectClass=ipaHBACService)]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sshd,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=login,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su-l,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo-i,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm-password,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=crond,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=vsftpd,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=proftpd,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gssftp,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linux,dc=domain,dc=com][2][(objectClass=ipaHBACServiceGroup)]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linux,dc=domain,dc=com][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=hostname.linux.com,cn=computers,cn=accounts,dc=linux,dc=domain,dc=com)(memberHost=cn=service_development,cn=hostgroups,cn=accounts,dc=linux,dc=domain,dc=com)(memberHost=cn=service_development,cn=ng,cn=alt,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=600c5bb8-9640-11e8-97b4-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=63673c38-9640-11e8-b757-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=a72ca9bc-9640-11e8-b757-02699e009f10,cn=sudorules,cn=sudo,dc=linux,dc=domain,dc=com)))]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=hostname.linux.com,cn=computers,cn=accounts,dc=linux,dc=domain,dc=com)(memberHost=cn=service_development,cn=hostgroups,cn=accounts,dc=linux,dc=domain,dc=com)(memberHost=cn=service_development,cn=ng,cn=alt,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=600c5bb8-9640-11e8-97b4-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=63673c38-9640-11e8-b757-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=a72ca9bc-9640-11e8-b757-02699e009f10,cn=sudorules,cn=sudo,dc=linux,dc=domain,dc=com)))][cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=600c5bb8-9640-11e8-97b4-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=63673c38-9640-11e8-b757-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com].
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [rule_watcher_development_hbac_rule]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [rule_watcher_development_hbac_rule]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [rule_watcher_development_hbac_rule]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [rule_watcher_development_hbac_rule]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [rule_watcher_development_hbac_rule]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [rule_admin_development_hbac_rule]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [rule_admin_development_hbac_rule]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [rule_admin_development_hbac_rule]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [rule_admin_development_hbac_rule]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [rule_admin_development_hbac_rule]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_eval_user_element] (0x1000): [238] groups for [user(a)win.domain.com]
(...)
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=rule_admin_development(a)win.domain.com,cn=groups,cn=win.domain.com,cn=sysdb
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=rule_watcher_development(a)win.domain.com,cn=groups,cn=win.domain.com,cn=sysdb
(...)
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_evaluate] (0x0100): [< hbac_evaluate()
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_evaluate] (0x0100): The rule [rule_watcher_development_hbac_rule] did not match.
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_evaluate] (0x0100): The rule [rule_admin_development_hbac_rule] did not match.
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_evaluate] (0x0100): hbac_evaluate() >]
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_done] (0x0400): DP Request [PAM Account #23563]: Request handler finished [0]: Success
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #23563]: Receiving request data.
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #23563]: Request removed.
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_method_enabled] (0x0400): Target selinux is not configured
(Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #23563]: Sending result [6][win.domain.com]
The thing is that on the server, when I test hbacrule it shows me that this user should be able to acces this client host with either rule_watcher_development_hbac_rule or rule_admin_development_hbac_rule. Moreover, without any reconfiguration, situation seems to come back to normal after a couple of minutes, usually in less than an hour.
sssd version is 1.16.1, ipa version 4.6.4-2.
What could be a reason for this not working?
5 years, 6 months
Re: smartcard authentication directly against AD (no IPA)?
by Pavel Arnošt
Hi,
I'm trying to configure smartcard (pkinit) authentication against Active
Directory on latest CentOS without success.
AD authentication without smartcard works without problems and standalone
kinit with smartcard also works but I can't managed to login with smartcard
and sssd.
Is it supposed to work in current state? What problem does mentioned patch
addresses?
I included krb5.conf, sssd.conf and krb5_child.log. What I considered
strange is this part:
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_responder]
(0x4000): Got question [pkinit].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit]
(0x4000): [0] Identity
[PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags
[0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit]
(0x4000): Setting pkinit_prompting.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1]
EINVAL.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): Prompt [0][Pavel Arnošt PIN].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x0020): Cannot handle password prompts.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87842: PKINIT client
has no configured identity; giving up
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87843: Preauth module
pkinit (16) (real) returned: -1765328360/Preauthentication failed
i.e. X509 identity is found but not used and prompt for PIN is ignored?
What can be wrong? Thanks.
krb5.conf:
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
dns_canonicalize_hostname = false
rdns = false
default_realm = VALVERA.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
VALVERA.LOCAL = {
kdc = 172.30.30.30
admin_server = 172.30.30.30
pkinit_anchors = FILE:/etc/ca.crt
pkinit_eku_checking = kpServerAuth
pkinit_kdc_hostname = valvera.local
pkinit_identities = PKCS11:libcoolkeypk11.so
}
sssd.conf:
[sssd]
debug_level = 9
domains = valvera.local
config_file_version = 2
services = nss, pam
[pam]
pam_cert_auth = True
[domain/valvera.local]
debug_level = 9
ad_domain = valvera.local
krb5_realm = VALVERA.LOCAL
ldap_user_certificate = userCertificate;binary
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad
krb5_child.log:
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400):
krb5_child started.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer]
(0x1000): total buffer size: [202]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer]
(0x0100): cmd [249] uid [650201177] gid [650200513] validate [true]
enterprise principal [true] offline [false] UPN [arnost(a)VALVERA.LOCAL]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:650201177] old_ccname:
[KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [check_use_fast]
(0x0100): Not using FAST.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [k5c_setup] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_lifetime_options]
(0x0100): No specific renewable lifetime requested.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_lifetime_options]
(0x0100): No specific lifetime requested.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): Will
perform pre-auth
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt]
(0x4000): Found Smartcard credentials, trying pkinit.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_pkinit_identity]
(0x4000): Got [Pavel Arnošt][libcoolkeypk11.so].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_pkinit_identity]
(0x4000): Using pkinit identity
[PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [VALVERA.LOCAL]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480064: Getting
initial credentials for arnost\@VALVERA.LOCAL(a)VALVERA.LOCAL
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480066: Sending
request (209 bytes) to VALVERA.LOCAL
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480067: Initiating TCP
connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480068: Sending TCP
request to stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480069: Received
answer (189 bytes) from stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480070: Terminating
TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480071: Response was
from master KDC
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480072: Received error
from KDC: -1765328359/Additional pre-authentication required
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480075: Processing
preauth types: 16, 15, 19, 2
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480076: Selected etype
info: etype aes256-cts, salt "VALVERA.LOCALarnost", params ""
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_responder]
(0x4000): Got question [pkinit].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit]
(0x4000): [0] Identity
[PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags
[0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit]
(0x4000): Setting pkinit_prompting.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1]
EINVAL.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): Prompt [0][Pavel Arnošt PIN].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x0020): Cannot handle password prompts.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87842: PKINIT client
has no configured identity; giving up
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87843: Preauth module
pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87844: PKINIT client
has no configured identity; giving up
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87845: Preauth module
pkinit (14) (real) returned: -1765328360/Preauthentication failed
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1]
EINVAL.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): Prompt [0][Password for arnost\@VALVERA.LOCAL(a)VALVERA.LOCAL].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x0020): Cannot handle password prompts.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87846: Preauth module
encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt]
(0x0400): krb5_get_init_creds_password returned [-1765328174] during
pre-auth.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data]
(0x0200): Received error code 0
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [pack_response_packet]
(0x2000): response packet size: [12]
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data]
(0x4000): Response sent.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400):
krb5_child completed successfully
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400):
krb5_child started.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x1000): total buffer size: [208]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x0100): cmd [241] uid [650201177] gid [650200513] validate [true]
enterprise principal [true] offline [false] UPN [arnost(a)VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:650201177] old_ccname:
[KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [check_use_fast]
(0x0100): Not using FAST.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds]
(0x0200): Switch user to [650201177][650200513].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_check_old_ccache]
(0x4000): Ccache_file is [KEYRING:persistent:650201177] and is not active
and TGT is valid.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_precreate_ccache]
(0x4000): Recreating ccache
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_setup] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options]
(0x0100): No specific renewable lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options]
(0x0100): No specific lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): Will
perform online auth
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt]
(0x4000): Found Smartcard credentials, trying pkinit.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity]
(0x4000): Got [Pavel Arnošt][libcoolkeypk11.so].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity]
(0x4000): Using pkinit identity
[PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364762: Getting
initial credentials for arnost\@VALVERA.LOCAL(a)VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364764: Sending
request (209 bytes) to VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364765: Initiating TCP
connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364766: Sending TCP
request to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364767: Received
answer (189 bytes) from stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364768: Terminating
TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364769: Response was
from master KDC
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364770: Received error
from KDC: -1765328359/Additional pre-authentication required
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364773: Processing
preauth types: 16, 15, 19, 2
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364774: Selected etype
info: etype aes256-cts, salt "VALVERA.LOCALarnost", params ""
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_responder]
(0x4000): Got question [pkinit].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [answer_pkinit]
(0x4000): [0] Identity
[PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags
[0].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87846: Preauth module
encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt]
(0x0400): krb5_get_init_creds_password returned [-1765328174] during
pre-auth.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data]
(0x0200): Received error code 0
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [pack_response_packet]
(0x2000): response packet size: [12]
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data]
(0x4000): Response sent.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400):
krb5_child completed successfully
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400):
krb5_child started.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x1000): total buffer size: [208]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x0100): cmd [241] uid [650201177] gid [650200513] validate [true]
enterprise principal [true] offline [false] UPN [arnost(a)VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:650201177] old_ccname:
[KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [check_use_fast]
(0x0100): Not using FAST.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds]
(0x0200): Switch user to [650201177][650200513].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_check_old_ccache]
(0x4000): Ccache_file is [KEYRING:persistent:650201177] and is not active
and TGT is valid.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_precreate_ccache]
(0x4000): Recreating ccache
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_setup] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options]
(0x0100): No specific renewable lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options]
(0x0100): No specific lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): Will
perform online auth
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt]
(0x4000): Found Smartcard credentials, trying pkinit.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity]
(0x4000): Got [Pavel Arnošt][libcoolkeypk11.so].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity]
(0x4000): Using pkinit identity
[PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364762: Getting
initial credentials for arnost\@VALVERA.LOCAL(a)VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364764: Sending
request (209 bytes) to VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364765: Initiating TCP
connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364766: Sending TCP
request to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364767: Received
answer (189 bytes) from stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364768: Terminating
TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364769: Response was
from master KDC
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364770: Received error
from KDC: -1765328359/Additional pre-authentication required
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364773: Processing
preauth types: 16, 15, 19, 2
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364774: Selected etype
info: etype aes256-cts, salt "VALVERA.LOCALarnost", params ""
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_responder]
(0x4000): Got question [pkinit].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [answer_pkinit]
(0x4000): [0] Identity
[PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags
[0].
Thanks,
Regards,
Pavel
5 years, 6 months
SAMBA share server with SSSD and NTLM even possible?
by Erinn Looney-Triggs
I have a system that is joined to an AD domain via SSSD, it was happily
running samba and serving shares using either kerberos or password
authentication, with the update to Samba 4.7.1 in the RHEL 7.5 release,
all of that stopped working.
samba config file:
[global]
log level = 5
password server = *
realm = AD.EXAMPLE.COM
encrypt passwords = yes
kerberos method = system keytab
workgroup = AD
server string = %h samba
security = ADS
map to guest = Bad User
interfaces = <valid IP>
hosts allow = <valid IP blocks>
load printers = no
passdb backend = tdbsam
dns proxy = no
max log size = 5000
bind interfaces only = no
restrict anonymous = 2
#============================ Share Definitions
==============================
[images]
comment = example images
path = /var/eng/
guest ok = no
printable = no
write list =
create mask = 0664
directory mask = 0775
read only = no
valid users = +valid-example-group
force group =
browseable = yes
Now samba will not even start without either libwbclient or
sssd-libwbclient installed with the above configuration. After
installing sssd-libwbclient and modifying valid users to:
valid users = AD\valid-example-group
kerberos based connections will work just fine. However password based
connections for windows systems that are not AD joined, or smbclient
without kerberos, does not work. I believe this is falling back to NTLM
and NTLM is simply not supported by SSSD correct?
Oddly, what used to work, with basically a call to getgrnam() no longer
works in 4.7.1 release of samba and there seems to be no mention that I
can find as to why. Any thoughts?
It looks an awful lot like, if we need to support both krb and password
based connections we will need to use winbind, correct? Or is there
another way to make this thing work? If I have to use winbind it looks
like I need to use 'net ads join' or 'realm join
--client-software=winbind' but it then seems to me that the system will
be joined to the AD twice, once to use SSSD, and once for winbind is
this correct? Is there a way to make winbind and SSSD work together?
Further it looks like, according to this:
https://bugzilla.redhat.com/show_bug.cgi?id=1558560 that RHEL 7.6 with
Samba 4.8.1 will require winbind to be running period. I believe that
statement to be a bit of an oversimplification because sssd-libwbclient
should still work, or am I misunderstanding?
Any guidance here would be great, this seems to be a fairly murky area,
or my google fu is weak.
-Erinn
5 years, 6 months
realm re-join....
by Spike White
All,
I had a VM down for a great number of days. Apparently, it was not 30
days. Because even though it initially didn't correct do AD
authentication, I fixed one misconfiguration in /etc/krb5.conf, restarted
SSSD and it did.
But that raises a bigger question. If it's been >30 days and my machine
account is no longer valid, how do I rejoin the domain?
Is it:
realm leave (no flags)
readlm join (with all my usual flags that I use on the initial realm
join)
Spike
5 years, 6 months
sssctl & InfoPipe
by Ondrej Valousek
Hi list.
When I run
# sssctl user-checks <username>
The command will, under the "SSSD InfoPipe user lookup result" section:
- Print some information no matter if I enable InfoPipe in the configuration or not
- When I enable [ifp] and add an extra attributes, such as "user_attributes = +mail, +telephoneNumber, +givenname, +sn", they does not appear in the sssctl output as per above
Is it intentional behavior?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
5 years, 6 months
local id_provider krb5 auth_provider
by Ken Teh
I tried setting up a domain that uses files for the account id but to use our active directory for authentication in sssd.conf. But when I fire up the sssd daemon, it reports that it is using files for the auth_provider. Is this setup possible? I know I can add the pam_krb5 directly into the pam stack to get what I need. I thought I'd try to do this within the pam_sss module framework.
5 years, 6 months
Re: AD authentication on samba server using sssd
by Reinaldo Souza Gomes
But how can I make sure that NTLM(SSP) will never be used??
I’ve set up Samba with SSSD and everything Works fine... except for a few Windows machines which every now and then happen to send NTLM authentication flags to the Samba server, which happily forwards them. And then the authentication fails because SSSD doesn’t support NTLM.
I’ve tried all sorts of parameters combination on smb.conf, but I didn’t find a way to completely refuse NTLM authentication on the Samba server, and force the client to use another authentication method (kerberos).
5 years, 6 months
sssd fails to start when I enable [ifp]
by Ondrej Valousek
Hi List,
Seems like sssd fails to start when I enable infopipe (i.e. add "ifp" to the services list).
Log says:
(Mon Oct 8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0020): Unable to request name on the system bus: [Connection ":1.33273" is not allowed to own the service "org.freedesktop.sssd.infopipe" due to security policies in the configuration file]
(Mon Oct 8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error message: Connection ":1.33273" is not allowed to own the service "org.freedesktop.sssd.infopipe" due to security policies in the configuration file
(Mon Oct 8 14:18:08 2018) [sssd[ifp]] [ifp_process_init] (0x0020): Failed to connect to the system message bus
This is Centos-7, all updates applied, i.e. dbus-1.10.24, sssd-1.16.0-19.el7
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
5 years, 6 months