sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
1 year, 8 months
ID Views for IPA ID Views for AD users inconsistent resolution
by Louis Abel
I didn't get a response in #sssd, so I figured I'll try here at the mail list.
# rpm -q sssd ipa-server
sssd-1.16.0-19.el7_5.5.x86_64
ipa-server-4.5.4-10.el7_5.3.x86_64
I've been scratching my head trying to resolve this particular issue. I'm having issues with AD users where when they login, they'll get the UID/GID assigned in the ID views correctly, but only some of the time. Other times, they won't get the id view assigned to them. This is all done in the default trust view. What makes this issue even more interesting is that out of my 6 domain controllers, sometimes it'll be one server out of the six that does it, sometimes it's two. But it's never the same ones, so it's difficult to track the particular issue down. What's even more interesting is this is not occurring with some users (like my own). I have yet to see it occur with my account or even the rest of my team's accounts. One of the things I tried to do is delete the ID views of the offending users and recreate them to no avail.
I put SSSD into debug mode on the IPA servers and tried to get some relevant logs and such to try and figure this out. Below is my SSSD configuration, ldb info, and debug logs (removing private information where possible). I'm trying to determine if this is either a bug within SSSD or if this is a misconfiguration on my part.
$ ldbsearch -H cache_ipa.example.com.ldb name=user.name(a)ad.example.com originalADuidNumber uidNumber originalADgidNumber gidNumber
asq: Unable to register control with rootdse!
# record 1
dn: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb
originalADuidNumber: 55616902
originalADgidNumber: 55616902
uidNumber: 55616902
gidNumber: 55616902
$ ipa idoverrideuser-show "Default Trust View" user.name(a)ad.example.com
Anchor to override: user.name(a)ad.example.com
UID: 40001
GID: 40001
Home directory: /home/user.name
Login shell: /bin/bash
$ ldbsearch -H timestamps_ipa.example.com.ldb | less
dn: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb
objectCategory: user
originalModifyTimestamp: 20180823172515.0Z
entryUSN: 92632390
initgrExpireTimestamp: 1535133621
lastUpdate: 1535128235
dataExpireTimestamp: 1535133635
distinguishedName: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb
## DEBUG LOGS
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb] has set [ts_cache] attrs.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_print_server] (0x2000): Searching 172.20.23.190:389
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_add] (0x2000): New operation 32 timeout 6
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1080], connected[1], ops[(nil)], ldap[0x55f30a5d0f90]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a645310], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaanchoruuid=:SID:S-1-5-21-922099545-2851689246-2917073205-16902,cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaAnchorUUID]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaOriginalUid]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a645310], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_destructor] (0x2000): Operation 32 finished
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_done] (0x4000): Found override for object with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [uidNumber] with [40001] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x0080): Override attribute for [gidNumber] has more [2] than one value, using only the first.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [gidNumber] with [40001] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [homeDirectory] with [/home/user.name] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [loginShell] with [/bin/bash] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a6819a0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a681a60
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a6819a0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a681a60 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a6819a0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [safe_original_attributes] (0x4000): Original object does not have [sshPublicKey] set.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a683c50
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a683d10
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a683c50 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a683d10 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a683c50 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [uidNumber] of entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a68d1c0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a68d280
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a68d1c0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a68d280 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a68d1c0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb] has set [cache, ts_cache] attrs.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a68d330
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a688900
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a68d330 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a689320
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a6893e0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a688900 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a68d330 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a689320 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a634920
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a6349e0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a6893e0 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a689320 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a634920 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a6349e0 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a634920 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Processing group 0/1
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Fetching group S-1-5-21-922099545-2851689246-2917073205-20676
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_print_server] (0x2000): Searching 172.20.23.190:389
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_add] (0x2000): New operation 33 timeout 6
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a63f270], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a63f270], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_destructor] (0x2000): Operation 33 finished
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Processing group 1/1
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid.
## /etc/sssd/sssd.conf
[domain/ipa.example.com]
cache_credentials = True
krb5_store_password_if_offline = True
# krb5_realm = IPA.EXAMPLE.COM
ipa_domain = ipa.example.com
ipa_hostname = entl01.ipa.example.com
# Server Specific Settings
ipa_server = entl01.ipa.example.com
ipa_server_mode = True
subdomain_homedir = %o
fallback_homedir = /home/%u
default_shell = /bin/bash
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
domains = ipa.example.com
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,tomcat,activemq,informix,oracle,xdba,grid,dbadmin,weblogic,operator,postgres,devolog
memcache_timeout = 600
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
2 years, 2 months
Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
3 years, 10 months
SSSD strangeness
by simonc99@hotmail.com
Hi All
We've got SSSD 1.13.0 installed as part of a Centos 7.2.1511 installation.
We've used realmd to join the host concerned to our 2008R2 AD system. This went really well, and consequently we've been using SSSD to provide login services and kerberos integration for our fairly large hadoop system.
The authconfig that's implicitly run as part of realmd produces the following sssd.conf:
[sssd]
domains = <joined domain>
config_file_version = 2
services = nss, pam
[pam]
debug_level = 0x0080
[nss]
timeout = 20
force_timeout = 600
debug_level = 0x0080
[domain/<joined domain>]
ad_domain = <joined domain>
krb5_realm = <JOINED DOMAIN>
realmd_tags = manages-system joined-with-samba
cache_credentials = true
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = <AD group allowing logins>
krb5_use_kdc_info = False
entry_cache_timeout = 300
debug_level = 0x0080
ad_server = <active directory server>
As I've said - this works really well. We did have some stability issues initially, but they've been fixed by defining the 'ad_server' rather than using autodiscovery.
Logins work fine, kerberos TGTs are issued on login, and password changes are honoured correctly.
However, in general day to day use, we have noticed a few anomalies, that we just can't track down.
Firstly (this has happened a few times), a user will change their AD password (via a Windows PC).
Subsequent logins - sometimes with specific client software - fail with
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<remote PC name> user=<username>
pam_sss(sshd:auth): received for user <username>: 17 (failure setting user credentials)
So in this example, the person concerned has changed their AD password. Further attempts to access this system via SSH work fine. However, using SFTP doesn't work (the above is output into /var/log/secure).
There are no local controls on sftp logins, and the user concerned was working fine (using both sftp and ssh) until they updated their password.
There is no separate sftp daemon running, and it only affects one individual currently (but we have seen some very similar instances before)
The second issue we have is around phantom groups in AD.
Hadoop uses an id -Gn command to see group membership for authorisation.
With some users - we've seen 6 currently - we see certain groups failing to be looked up:
id -Gn <username>
id: cannot find name for group ID xxxxyyyyy
<group name> <group name> <group name> <group name> <etc...>
The xxxxyyyyy indicates:
xxxx = hashed realm name
yyyyy = RID from group in AD
We can't find any group with that number on the AD side!
We can work around this by adding a local group (into /etc/group) for the GIDs affected. This means the id -Gn runs correctly, and the hadoop namenode can function correctly - but this is a workaround and we'd like to get to the bottom of the issue.
Rather than flooding this post now with logfiles, just thought I'd see if this looked familiar to anyone. Happy to upload any logs, amend logging levels, etc.
Many thanks
Simon
3 years, 11 months
sssd[be[1320]: Backend is offline
by Harald Dunkel
Hi folks,
sssd 1.16.3-1 (rebuilt for Debian 9), systemd
At boot time sssd_nss fails to initialize. systemctl status sssd
shows
root@srvl061:~# systemctl status sssd
* sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-11-22 11:57:30 CET; 46s ago
Main PID: 1312 (sssd)
Tasks: 5 (limit: 7372)
CGroup: /system.slice/sssd.service
|-1312 /usr/sbin/sssd -i --logger=files
|-1345 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files
|-1533 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --logger=files
|-1534 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --logger=files
`-1535 /usr/lib/x86_64-linux-gnu/sssd/sssd_pac --uid 0 --gid 0 --logger=files
Nov 22 11:57:25 srvl061.ac.example.com systemd[1]: Starting System Security Services Daemon...
Nov 22 11:57:25 srvl061.ac.example.com sssd[1312]: Starting up
Nov 22 11:57:25 srvl061.ac.example.com sssd[be[1345]: Starting up
Nov 22 11:57:30 srvl061.ac.example.com sssd[1533]: Starting up
Nov 22 11:57:30 srvl061.ac.example.com sssd[1534]: Starting up
Nov 22 11:57:30 srvl061.ac.example.com sssd[1535]: Starting up
Nov 22 11:57:30 srvl061.ac.example.com systemd[1]: Started System Security Services Daemon.
Nov 22 11:57:45 srvl061.ac.example.com sssd[be[1345]: Backend is offline
Apparently this is a problem of resolvconf generating /etc/\
resolv.conf at boot time. If I replace it by a static file, then
the problem is gone.
Question is, how can I tell systemd to wait for resolv.conf?
Is there some timeout in the backend I could adjust? Does it
wait for the network at all?
Every helpful comment is highly appreciated
Regards
Harri
4 years, 4 months
logging in with AD account strangeness
by Peter de Groot
please help.
On ubuntu against AD. Logging in with an AD account works fine.. EXCEPT for just ONE account. The other AD accounts work fine
It will let me login once.. and when I try to login again, it comes up with access denied.
BUT... if I do a sssctl cache-remove, it works again .. the first time.
id, and related diagnostics on this account come up fine..
Used realmd to add the machine to AD. sssd.conf below.
Level 10 logs for at first working and not working can be downloaded from
https://intranet.egc.wa.edu.au/downloads/sssd.tar.gz
Please help .. driving me insane :-)
Peter
root@e4182s01sv025:/etc/sssd# more sssd.conf
[sssd]
domains = orange.schools.internal
config_file_version = 2
services = nss, pam ,ifp, sudo
default_domain_suffix = ORANGE.SCHOOLS.INTERNAL
[domain/orange.schools.internal]
ad_domain = orange.schools.internal
krb5_realm = ORANGE.SCHOOLS.INTERNAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
ad_gpo_access_control = permissive
root@e4182s01sv025:/etc/sssd#
4 years, 6 months
getent group <ad-group-name> empty output - no members shown
by Hans Schou
Hi
"getent group <name>" does not give any output at all.
However "getent passwd" looks correctly up in the AD:
$ getent passwd zmir2
zmir2:*:2956636:100:Hans Schou:/home/zmir2:/bin/bash
$ grep -c ^zmir2 /etc/passwd
0
nsswitch looks fine:
$ egrep "^(group|passwd)" /etc/nsswitch.conf
passwd: files sss
group: files sss
SSO is working fine with both ssh and samba share.
$ realm list
foo.org
type: kerberos
realm-name: FOO.ORG
domain-name: foo.org
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: %U
login-policy: allow-any-login
foo.org
type: kerberos
realm-name: FOO.ORG
domain-name: foo.org
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
# cat /etc/sssd/sssd.conf
[sssd]
domains = foo.org
config_file_version = 2
services = nss, pam
[domain/foo.org]
ad_domain = foo.org
krb5_realm = FOO.ORG
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
All on Red Hat 7.6.
The goal is to use an AD group in a samba share but it obviously does not
lookup groups in the AD, only specific users.
--
Venlig hilsen - best regards
4 years, 6 months
ldap domain - queried attributes filter?
by Martin Hansen
Hi,
I'm using sssd with LDAP backend / domain. I wonder if there is a way to influence the attributes which are queried by sssd? Like not just the mapping but which attributes are ok to be queried and which attributes should not? I have some cloud servers which are accessing our internal directory via slapd (proxy).
I have two questions re this:
1. I use "services: nss,pam", so why is sssd querying sudoers information via the ldap domain like:
ldap filter used by sssd:
"(&(?objectClass=sudoRole)(|(!(?sudoHost=*))(?sudoHost=ALL)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=xx.xx.xx.xx)(?sudoHost=xx.xx.xx.xx/xx)?sudoHost=+*)(|(?sudoHost=*\5C*)(?sudoHost=*?*)(?sudoHost=*\2A*)(?sudoHost=*[*]*))))"
2. I as well would like to modify the attributes which are queried by sssd. I would like sssd NOT to query "userPassword" for example. A lot of other attributes which are queried are not relevant in my environment as well e.g. the "krb*" attributes.
ldap attributes queried by sssd:
objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn GroupMembership modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host rhost loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey userCertificate;binary mail
Is it possible to influence this behavior somehow, I tried user_attributes in the domain section as well as in the nss section without success, e.g. "user_attributes = -userPassword".
any help or clarifying words are appreciated, have a great day
M
4 years, 6 months
Fedora 29 SSSD changes/SSSD Cache Path Alternative
by Gregory Carter
I have a diskless workstation, which I noticed recently with some updates
has stopped working with respect to sssd. Here is the config which no
longer works:
[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://named.domain.com/
ldap_search_base = dc=domain,dc=com
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/certs
cache_credentials = True
ldap_autofs_map_object_class = automountMap
ldap_autofs_map_name = ou
ldap_autofs_entry_object_class = automount
ldap_autofs_entry_key = cn
ldap_autofs_entry_value = automountInformation
debug_level = 9
[sssd]
services = nss, pam, autofs
domains = default
debug_level = 9
[nss]
homedir_substring = /home
debug_level = 9
[pam]
debug_level = 9
[sudo]
debug_level = 9
[autofs]
debug_level = 9
[ssh]
debug_level = 9
[pac]
debug_level = 9
[ifp]
debug_level = 9
[secrets]
debug_level = 9
[session_recording]
debug_level = 9
What I found, is that the /var/lib/sss directory is not working correctly
anymore with NFS root mount.
Lots of timeout and error messages which, after looking at with various
debug levels, really didn't offer any clue to exactly why the various
components would time out.
However, I did notice the only workstation which had a issue with the
update was the diskless workstation, so I mounted the /var/lib/sss
directory on /tmp (Ram disk) which fixed the issue.
I searched for a option to change the sssd /var/lib/sss path and did not
find one.
Is there a way to change that in the /etc/sssd/sssd.conf?
4 years, 6 months
Announcing SSSD 1.16.4
by Jakub Hrozek
SSSD 1.16.4
===========
The SSSD team is proud to announce the release of version 1.16.4 of the
System Security Services Daemon.
The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
————----
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
----------
New Features
^^^^^^^^^^^^
* The list of PAM services which are allowed to authenticate using a
Smart Card is now configurable using a new option
``pam_p11_allowed_services``. (#2926)
* A new configuration option ``ad_gpo_implicit_deny`` was added. This option
(when set to True) can be used to deny access to users even if there is
not applicable GPO. Normally users are allowed access in this situation.
(#3701)
* The LDAP authentication provider now allows to use a different method of
changing LDAP passwords using a modify operation in addition to the
default extended operation. This is meant to support old LDAP servers
that do not implement the extended operation. The password change using
the modification operation can be selected with ``ldap_pwmodify_mode =
"ldap_modify"`` (#1314)
* The ``auto_private_groups`` configuration option now takes a new value
``hybrid``. This mode autogenerates private groups for user entries
where the UID and GID values have the same value and at the same time
the GID value does not correspond to a real group entry in LDAP (#3822)
Security issues fixed
^^^^^^^^^^^^^^^^^^^^^
* CVE-2019-3811: SSSD used to return "/" in case a user entry had no home
directory. This was deemed a security issue because this flaw could
impact services that restrict the user's filesystem access to within
their home directory. An empty home directory field would indicate
"no filesystem access", where sssd reporting it as "/" would grant full
access (though still confined by unix permissions, SELinux etc).
Notable bug fixes
^^^^^^^^^^^^^^^^^
* The IPA provider, in a setup with a trusted Active Directory domain,
did not remove cached entries that were no longer present on
the AD side (#3984)
* The Active Directory provider now fetches the user information from the
LDAP port and switches to using the Global Catalog port, if available
for the group membership. This fixes an issue where some attributes
which are not available in the Global Catalog, typically the home
directory, would be removed from the user entry. (#2474)
* The IPA SELinux provider now sets the user login context even if it is the
same as the system default. This is important in case the user has
a non-standard home directory, because then only adding the user to
the SELinux database ensures the home directory will be labeled properly.
However, this fix causes a performance hit during the first login
as the context must be written into the semanage database.
* The sudo responder did not reflect the case_sensitive domain option
(#3820)
* A memory leak when requesting netgroups repeatedly was fixed (#3870)
* An issue that caused SSSD to sometimes switch to offline mode in case
not all domains in the forest ran the Global Catalog service was
fixed (#3902)
* The SSH responder no longer fails completely if the ``p11_child`` times out
when deriving SSH keys from a certificate (#3937)
* The negative cache was not reloaded after new sub domains were discovered which
could have lead to a high SSSD load (#3683)
* The negative cache did not work properly for in case a lookup fell back to trying
a UPN instead of a name (#3978)
* If any of the SSSD responders was too busy, that responder wouldn't have
refreshed the trusted domain list (#3967)
* A potential crash due to a race condition between the fail over code refreshing
a SRV lookup and back end using its results (#3976)
* Sudo's runAsUser and runAsGroup attributes did not match properly when used in
setups with domain_resolution_order
* Processing of the values from the ``filter_users`` or ``filter_groups`` options
could trigger calls to blocking NSS API functions which could in turn
prevent the startup of SSSD services in case nsswitch.conf contained
other modules than ``sss`` or ``files`` (#3963)
Tickets Fixed
-------------
* `3967 <https://pagure.io/SSSD/sssd/issue/3967>`_ - NSS responder does no refresh domain list when busy
* `2926 <https://pagure.io/SSSD/sssd/issue/2926>`_ - Make list of local PAM services allowed for Smartcard authentication configurable
* `3819 <https://pagure.io/SSSD/sssd/issue/3819>`_ - sssd only sets the SELinux login context if it differs from the default
* `3820 <https://pagure.io/SSSD/sssd/issue/3820>`_ - sudo: search with lower cased name for case insensitive domains
* `3870 <https://pagure.io/SSSD/sssd/issue/3870>`_ - nss: memory leak in netgroups
* `3451 <https://pagure.io/SSSD/sssd/issue/3451>`_ - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.
* `3875 <https://pagure.io/SSSD/sssd/issue/3875>`_ - CURLE_SSL_CACERT is deprecated in recent curl versions
* `3902 <https://pagure.io/SSSD/sssd/issue/3902>`_ - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust
* `3901 <https://pagure.io/SSSD/sssd/issue/3901>`_ - sssd returns '/' for emtpy home directories
* `3919 <https://pagure.io/SSSD/sssd/issue/3919>`_ - sss_cache prints spurious error messages when invoked from shadow-utils on package install
* `3845 <https://pagure.io/SSSD/sssd/issue/3845>`_ - The config file validator says that certmap options are not allowed
* `3937 <https://pagure.io/SSSD/sssd/issue/3937>`_ - If p11_child spawned from sssd_ssh times out, sssd_ssh fails completely
* `3961 <https://pagure.io/SSSD/sssd/issue/3961>`_ - sssd config-check reports an error for a valid configuration option
* `3701 <https://pagure.io/SSSD/sssd/issue/3701>`_ - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login.
* `2474 <https://pagure.io/SSSD/sssd/issue/2474>`_ - AD: do not override existing home-dir or shell if they are not available in the global catalog
* `3958 <https://pagure.io/SSSD/sssd/issue/3958>`_ - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls
* `3890 <https://pagure.io/SSSD/sssd/issue/3890>`_ - SSSD changes the memory cache file ownership away from the SSSD user when running as root
* `3942 <https://pagure.io/SSSD/sssd/issue/3942>`_ - RemovedInPytest4Warning: Fixture "passwd_ops_setup" called directly
* `3276 <https://pagure.io/SSSD/sssd/issue/3276>`_ - Revert workaround in CI for bug in python-{request,urllib3}
* `3978 <https://pagure.io/SSSD/sssd/issue/3978>`_ - UPN negative cache does not use values from 'filter_users' config option
* `3983 <https://pagure.io/SSSD/sssd/issue/3983>`_ - filter_users option is not applied to sub-domains if SSSD starts offline
* `3947 <https://pagure.io/SSSD/sssd/issue/3947>`_ - SSSD netgroups do not honor entry_cache_nowait_percentage
* `3984 <https://pagure.io/SSSD/sssd/issue/3984>`_ - IPA: Deleted user from trusted domain is not removed properly from the cache on IPA clients
* `3976 <https://pagure.io/SSSD/sssd/issue/3976>`_ - crash in dp_failover_active_server
* `3957 <https://pagure.io/SSSD/sssd/issue/3957>`_ - sudo: runAsUser/Group does not work with domain_resolution_order
* `1314 <https://pagure.io/SSSD/sssd/issue/1314>`_ - RFE Request for allowing password changes using SSSD in DS which dont follow OID's from RFC 3062
* `3822 <https://pagure.io/SSSD/sssd/issue/3822>`_ - Enable generating user private groups only for users with no primary GID
* `3963 <https://pagure.io/SSSD/sssd/issue/3963>`_ - Responders: processing of `filter_users`/`filter_groups` should avoid calling blocking NSS API
Packaging Changes
-----------------
* Several files in the reference specfile changed permissions to avoid
issues with verifying the file integrity with ``rpm -V`` in case
SSSD runs as a different user than the default user it is configured
with (#3890)
Documentation Changes
---------------------
* The AD provider default value of ``fallback_homedir`` was changed
to ``fallback_homedir = /home/%d/%u`` to provide home directories for
users without the ``homeDirectory`` attribute.
* A new option ``ad_gpo_implicit_deny``, defaulting to False (#3701)
* A new option ``ldap_pwmodify_mode`` (#1314)
* A new option ``pam_p11_allowed_services`` (#2926)
* The ``auto_private_groups`` accepts a new option value ``hybrid`` (#3822)
* Improved documentation of the Kerberos locator plugin
Detailed Changelog
------------------
* Alexey Tikhonov (5):
* Fix error in hostname retrieval
* lib/cifs_idmap_sss: fixed unaligned mem access
* ci/sssd.supp: fixed c-ares-suppress-leak-from-init
* negcache: avoid "is_*_local" calls in some cases
* Monitor: changed provider startup timeout
* Fabiano Fidêncio (1):
* man/sss_ssh_knownhostsproxy: fix typo pubkeys -> pubkey
* Jakub Hrozek (54):
* Updating the version to track 1.16.4 development
* src/tests/python-test.py is GPLv3+
* src/tests/intg/util.py is licensed under GPLv3+
* src/tests/intg/test_ts_cache.py is licensed under GPLv3+
* src/tests/intg/test_sudo.py is licensed under GPLv3+
* src/tests/intg/test_sssctl.py is licensed under GPLv3+
* src/tests/intg/test_ssh_pubkey.py is licensed under GPLv3+
* src/tests/intg/test_session_recording.py is licensed under GPLv3+
* src/tests/intg/test_secrets.py is licensed under GPLv3+
* src/tests/intg/test_pysss_nss_idmap.py is licensed under GPLv3+
* src/tests/intg/test_pam_responder.py is licensed under GPLv3+
* src/tests/intg/test_pac_responder.py is licensed under GPLv3+
* src/tests/intg/test_netgroup.py is licensed under GPLv3+
* src/tests/intg/test_memory_cache.py is licensed under GPLv3+
* src/tests/intg/test_local_domain.py is licensed under GPLv3+
* src/tests/intg/test_ldap.py is licensed under GPLv3+
* src/tests/intg/test_kcm.py is licensed under GPLv3+
* src/tests/intg/test_infopipe.py is licensed under GPLv3+
* src/tests/intg/test_files_provider.py is licensed under GPLv3+
* src/tests/intg/test_files_ops.py is licensed under GPLv3+
* src/tests/intg/test_enumeration.py is licensed under GPLv3+
* src/tests/intg/sssd_passwd.py is licensed under GPLv3+
* src/tests/intg/sssd_nss.py is licensed under GPLv3+
* src/tests/intg/sssd_netgroup.py is licensed under GPLv3+
* src/tests/intg/sssd_ldb.py is licensed under GPLv3+
* src/tests/intg/sssd_id.py is licensed under GPLv3+
* src/tests/intg/sssd_group.py is licensed under GPLv3+
* src/tests/intg/secrets.py is licensed under GPLv3+
* src/tests/intg/ldap_local_override_test.py is licensed under GPLv3+
* src/tests/intg/ldap_ent.py is licensed under GPLv3+
* src/tests/intg/krb5utils.py is licensed under GPLv3+
* src/tests/intg/kdc.py is licensed under GPLv3+
* src/tests/intg/files_ops.py is licensed under GPLv3+
* src/tests/intg/ent_test.py is licensed under GPLv3+
* src/tests/intg/ent.py is licensed under GPLv3+
* src/tests/intg/ds_openldap.py is licensed under GPLv3+
* src/tests/intg/ds.py is licensed under GPLv3+
* src/config/setup.py.in is licensed under GPLv3+
* src/config/SSSDConfig/ipachangeconf.py is licensed under GPLv3+
* Explicitly add GPLv3+ license blob to several files
* SELINUX: Always add SELinux user to the semanage database if it doesn't exist
* pep8: Ignore W504 and W605 to silence warnings on Debian
* LDAP: minor refactoring in auth_send() to conform to our coding style
* LDAP: Only authenticate the auth connection if we need to look up user information
* NSS: Avoid changing the memory cache ownership away from the sssd user
* TESTS: Only use __wrap_sss_ncache_reset_repopulate_permanent to finish test if needed
* UTIL: Add a is_domain_mpg shorthand
* UTIL: Convert bool mpg to an enum mpg_mode
* CONFDB: Read auto_private_groups as string, not bool
* CONFDB/SYSDB: Add the hybrid MPG mode
* CACHE_REQ: Add cache_req_data_get_type()
* NSS: Add the hybrid-MPG mode
* TESTS: Add integration tests for auto_private_groups=hybrid
* Updating the translations for the 1.16.4 release
* Lukas Slebodnik (26):
* krb5_locator: Make debug function internal
* krb5_locator: Simplify usage of macro PLUGIN_DEBUG
* krb5_locator: Fix typo in debug message
* krb5_locator: Fix formatting of the variable port
* krb5_locator: Use format string checking for debug function
* PAM: Allow to configure pam services for Smartcards
* UTIL: Fix compilation with curl 7.62.0
* test_pac_responder: Skip test if pac responder is not installed
* INTG: Show extra test summary info with pytest
* CI: Modify suppression file for c-ares-1.15.0
* sss_cache: Do not fail for missing domains
* intg: Add test for sss_cache & shadow-utils use-case
* sss_cache: Do not fail if noting was cached
* test_sss_cache: Add test case for invalidating missing entries
* pyhbac-test: Do not use assertEquals
* SSSDConfigTest: Do not use assertEquals
* SSSDConfig: Fix ResourceWarning unclosed file
* SSSDConfigTest: Remove usage of failUnless
* BUILD: Fix condition for building sssd-kcm man page
* NSS: Do not use deprecated header files
* sss_cache: Fail if unknown domain is passed in parameter
* test_sss_cache: Add test case for wrong domain in parameter
* test_files_provider: Do not use pytest fixtures as functions
* test_ldap: Do not uses pytest fixtures as functions
* Revert "intg: Generate tmp dir with lowercase"
* ent_test: Update assertions for python 3.7.2
* Michal Židek (1):
* GPO: Add gpo_implicit_deny option
* Pavel Březina (9):
* sudo: respect case sensitivity in sudo responder
* nss: use enumeration context as talloc parent for cache req result
* netgroups: honor cache_refresh_percent
* sdap: add sdap_modify_passwd_send
* sdap: add ldap_pwmodify_mode option
* sdap: split password change to separate request
* sdap: use ldap_pwmodify_mode to change password
* sudo ipa: do not store rules without sudoHost attribute
* be: remember last good server's name instead of fo_server structure
* Sumit Bose (22):
* intg: flush the SSSD caches to sync with files
* LDAP: Log the encryption used during LDAP authentication
* BUILD: Accept krb5 1.17 for building the PAC plugin
* tests: fix mocking krb5_creds in test_copy_ccache
* tests: increase p11_child_timeout
* Revert "IPA: use forest name when looking up the Global Catalog"
* ipa: use only the global catalog service of the forest root
* utils: make N_ELEMENTS public
* ad: replace ARRAY_SIZE with N_ELEMENTS
* responder: fix domain lookup refresh timeout
* ldap: add get_ldap_conn_from_sdom_pvt
* ldap: prefer LDAP port during initgroups user lookup
* ldap: user get_ldap_conn_from_sdom_pvt() where possible
* krb5_locator: always use port 88 for master KDC
* NEGCACHE: initialize UPN negative cache as well
* NEGCACHE: fix typo in debug message
* NEGCACHE: repopulate negative cache after get_domains
* ldap: add users_get_handle_no_user()
* ldap: make groups_get_handle_no_group() public
* ipa s2n: fix typo
* ipa s2n: do not add UPG member
* ipa s2n: try to remove objects not found on the server
* Thorsten Scherf (1):
* CONFIG: add missing ldap attributes for validation
* Tomas Halman (4):
* nss: sssd returns '/' for emtpy home directories
* ssh: sssd_ssh fails completely on p11_child timeout
* ssh: p11_child error message is too generic
* krb5_locator: Allow hostname in kdcinfo files
* Victor Tapia (1):
* GPO: Allow customization of GPO_CROND per OS
* mateusz (1):
* Added note about default value of ad_gpo_map_batch parameter
4 years, 6 months