The reason I ask is because I use a bunch of storage appliances that offer Secure-NFS (NETAPP, EMC UNITY, etc.), but they only support NIS, IDMU, RFC2307, and RFC2307bis style Identity Mapping, all of which require manual assignment of UID/GID numbers to objects in LDAP, which is untenable for large environments. Microsoft even removed Unix Attribute editor from their LDAP GUI for the RFC2307 attributes in Windows Server 2016 to push people away from using rfc2307.
I would like to be able to provide a link to an RFC or design document describing the SSSD ID Mapping algorithm so that these 3rd party vendors can incorporate an identical identity mapping algorithm into their products, so that I can use their Secure-NFS product in conjunction with sssd and have the uid and gid numbers match up with the other Linux hosts in our environment.
We've recently started receiving a lot of complaints from users about
broadcast messages of the form:
Message from syslogd@hostname at Dec 4 09:08:35 ...
sssd[be[domain.lan]]:Group Policy Container with DN
is unreadable or has unreadable or missing attributes. In order to fix
this make sure that this AD object has following attributes readable:
nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames,
gPCFunctionalityVersion, flags. Alternatively if you do not have access
to the server or can not change permissions on this object, you can use
option ad_gpo_ignore_unreadable = True which will skip this GPO.See 'man
ad_gpo_ignore_unreadable for details.'
We've reviewed the AD object with that DN and determined that they are
scoped to specific sets of workstations using AD groups, such as "Domain
Laptops". As far as we can tell, this is entirely normal, and there's
no reason to log an error, much less broadcast a message to every open
terminal every time GPOs are processed.
I'm aware of the ad_gpo_ignore_unreadable setting, but the default seems
to be the wrong behavior, and I'd like to suggest changing that.
Just wondering if there is any more news regarding the patch for sssd to
work with the new MS requirements?
Curerrently I'm being notified that ALL linux servers are reporting this in
the AD logs:
"...client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind
without requesting signing (integrity verification), or performed a simple
bind over a clear text (non-SSL/TLS-encrypted) LDAP connection..."
We are planning to test a sssd client with a patched AD server to see if
this will break AD auth on our sssd clients, but wanted to see if a patch
for sssd has been made available anywhere to use ldaps or ldap with sssd.
We have an AD-based sssd configuration that is working. For RHEL6, 7 and 8.
We've done thorough lab testing + pilot projects. All good (with certain
Currently, we're using access_provider = simple, with the appropriate
simple_allow_groups and simple_allow_users lines in /etc/sssd/sssd.conf.
A reviewer mentioned we should be using access_provider = ad +
/etc/security/access.conf file to restrict access. (We have pam_access.so
in our pam stack already, to disallow direct root login and other limited
Obviously that second approach would work too.
The claim is the first approach would allow in AD accounts with expired
passwords and locked accounts. Whereas the second approach would not.
I'm attempting to test this claim -- I have an account I can lock easily.
But does anyone have any best practices for access_provider?
The advantage of this first approach is that it's already coded and
thoroughly tested. The pilot projects use this.
The one advantage of the second approach that I'm certain of is that RHEL6
does not have a realm permit command. So to permit a user or group in
RHEL6 using the first approach is different between RHEL6 and 7/8. (To me,
that's not huge.)
> I'm currently working on patches to allow LDAPS as well and make sure
> that SASL/GSSAPI/GSS-SPNEGO are set up so that it can be used together
> with TLS. HTH
Good morning, Is there an expected eta for the patches to be available?
Is it possible to have two "ldap" providers in the same domain with
different ldap settings?
For example, if using ad for auth_provider and ldap for id/access providers
auth_provider = ldap
auth_provider ldap server x.example.com
id_provider = ldap
id_provider ldap server y.example.com
Such that the ad auth provider can now use ldap TLS/SSL to the password
server, but identity can still be managed by another server?
This may seen to be a weird setup, but it allows separation of
Gary Molenkamp Computer Science/Science Technology Services
Systems Administrator University of Western Ontario
(519) 661-2111 x86882 (519) 661-3566
First off, thanks to everyone who's ever worked on SSSD. It's easily in my top 5 favorite FOSS projects out there.
I am not sure if this is the right way to ask for an enhancement, or whether I should file an issue on GitHub, but I am running into an issue that's described in this Red Hat page https://access.redhat.com/solutions/3673501 (login required)
Basically for an automount map where I need nested top level paths:
each defined by their own map objects. SSSD does not handle this (neither does LDAP directly from autofs) because the return map from LDAP is unsorted, and if the maps are provided to autofs ordered as:
the /mnt/foo map masks the previous /mnt/foo/bar map and you'll only get the entries from /mnt/foo
Using file based mount maps, one can easily sort the top level maps, and get around this issue.
Would it be possible to have SSSD return the maps from LDAP query in a sorted way? There is an LDAP control that most LDAP servers support to return a sorted output, (
https://ldapwiki.com/wiki/Server%20Side%20Sort%20Control ) but with so many clients and a large list, this might be better left to the client to do instead.
I'm happy to help out if someone can point me in the right direction in the code.
On 12/4/2019 11:16 AM, Alexander Bokovoy via FreeIPA-users wrote:
> On ke, 04 joulu 2019, Stephen John Smoogen via FreeIPA-users wrote:
>> On Tue, 3 Dec 2019 at 21:43, TomK via FreeIPA-users
>> <freeipa-users(a)lists.fedorahosted.org> wrote:
>>> Hey All,
>>> Does FreeIPA fully support IPV6 or are there corner cases and
>>> limitations that could make it a show stopper?
>> Can you define 'fully support' IPV6? I say this from seeing various IT
>> groups still having to deal with major network hardware vendors saying
>> they 'fully support IPV6' but still needing weekly firmware updates
>> because of switch crashes due to IPv6 options. And the problem seems
>> to be that the IPV6 spec is complex and spread out over multiple
>> documents with parts implemented from draft documents that never got
>> out of committee. At times I doubt anything fully supports IPv6 so it
>> is better to come up with what you mean by what you need IPv6 support
>> to do and work from there.
> Yep. On the other hand, FreeIPA does have few open IPv6-related problems
> at the moment. It is known to work in the most IPv6 environments we have
> seen so far but there are management issues in DNS handling, for
> Whether these issues prevent you to deploy FreeIPA in IPv6-only
> environment is up to you.
Thanks everyone. What I mean by 'fully supported' is just as the
subject says, the FreeIPA piece.
To clarify a bit further I'll break this down into two parts:
1) FreeIPA Core Project: Let's assume for the sake of this discussion
that the OS, Hardware and what not fully supports IPv6. So in other
words, anything outside the realm of what you control or code within the
FreeIPA project is out of scope of this question.
2) Integration: FreeIPA / SSSD will integrate with a host of
technologies including SSSD, 389 Directory Server etc. If any of those
components aren't ready and impact FreeIPA components, I would be
interested to know.
I'm using a LDAP server for authentication/identification of users. I've set its ACIs so that every user just can access to its own data But now I have a problem in sssd clients: I should put the correct ldap_default_bind_dn value to make the request, a value which should be dynamic as it's typed on gdm/login/ssh/whatever. How can I do that? I don't want to write the admin's cn (and password!) in client's sssd.conf files!
P.S: I've asked the same topic in https://serverfault.com/questions/993030/how-to-have-a-dynamic-ldap-defau... but sadly there's no answer....
As far as I can tell the option 'ldap_sasl_mech = gssapi' in sssd.conf always makes LDAP use a Kerberos keytab for LDAP searches. As far as I can tell there is no way to use the users Kerberos credentials? I think this design comes from how Windows does it with AD?
I would like to use the Kerberos credentials of the user who has just logged-in instead. Maybe I'm somewhat paranoid or missing something but I'm not really comfortable with hundreds of hosts / machines with keytabs on them which give access to LDAP. Extracting that keytab from a machine is not that hard I think. I think in most use-cases the user only needs to be able to see LDAP entries (ie. other users with privacy sensitive information like names and other GDPR problematic data) which LDAP ACI's allow them.
Is there currently a way to configure SSSD in such a way?
I want to install sssd version 2.
Are there any limitations? I've installed sssd on suse, ubuntu and centos
with the latest repos and only get sssd version 1.16
How can I upgrade to version 2?