sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
1 year, 10 months
kcm, gssproxy and klist
by Winberg Adam
With KCM and gssproxy we often see a long list of credentials when doing a 'klist':
[user.u@lxserv2114 ~]$ klist
Ticket cache: KCM:17098:66803
Default principal: user.u@AD
Valid starting Expires Service principal
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
and so on...
The actual gssproxy credentials at /var/lib/gssproxy/clients/ does not correspond with this output, it only contains what could be expected - a TGT and maybe some service tickets.
The ever growing 'klist' list of credentials is a problem, after a while the user can no longer get any new credentials and therefore has no access to its NFS homedir (sec=krb5). I'm guessing it's the 'max_uid_ccaches' option in sssd-kcm that prevents this.
What is going on here - have we configured gssproxy/kcm wrong or is this a bug?
Regards
Adam
1 year, 11 months
sssd: AD range retrieval fails when enumeration is enabled
by R Davies
Hi,
When enumeration is enabled (required due to legacy application), and where
a group has > 1500 members, and AD's MaxValRange is at the default 1500,
then sssd fails to show more than 1500 group members. Group lookups are no
longer accurate.
A further interesting aspect is that if the sssd cache is expired (sssctl
cache-expiry -E), then the correct group membership is shown until such
time as enumeration is processed again (i.e. at most
ldap_enumeration_refresh_timeout + memcache_timeout)
src/providers/ldap/sdap.c's sdap_parse_entry() states:
/* This attribute contained range values and needs more to
> * be retrieved
> */
> /* TODO: return the set of attributes that need additional retrieval
> * For now, we'll continue below and treat it as regular values.
> */
As enumeration is enabled the subsequent ASQ/deref work is never
undertaken. As such sssd only ever processes the initial range retrieved
members (0-1499) (NB that nested groups members are evaluated).
We have looked at the relevant source code, but can't find a way to trigger
Attribute Scope Queries (ASQ)/deref. Indeed, no manner of sssd
configuration settings (other than disabling enumeration - which we sadly
cannot do) appears to change this behaviour. Increasing MaxValRange on AD
defeats the purpose of having MaxValRange.
Has anyone run into this before? Or, should I raise a new issue?
Many Thanks.
R.
2 years, 3 months
ID Views for IPA ID Views for AD users inconsistent resolution
by Louis Abel
I didn't get a response in #sssd, so I figured I'll try here at the mail list.
# rpm -q sssd ipa-server
sssd-1.16.0-19.el7_5.5.x86_64
ipa-server-4.5.4-10.el7_5.3.x86_64
I've been scratching my head trying to resolve this particular issue. I'm having issues with AD users where when they login, they'll get the UID/GID assigned in the ID views correctly, but only some of the time. Other times, they won't get the id view assigned to them. This is all done in the default trust view. What makes this issue even more interesting is that out of my 6 domain controllers, sometimes it'll be one server out of the six that does it, sometimes it's two. But it's never the same ones, so it's difficult to track the particular issue down. What's even more interesting is this is not occurring with some users (like my own). I have yet to see it occur with my account or even the rest of my team's accounts. One of the things I tried to do is delete the ID views of the offending users and recreate them to no avail.
I put SSSD into debug mode on the IPA servers and tried to get some relevant logs and such to try and figure this out. Below is my SSSD configuration, ldb info, and debug logs (removing private information where possible). I'm trying to determine if this is either a bug within SSSD or if this is a misconfiguration on my part.
$ ldbsearch -H cache_ipa.example.com.ldb name=user.name(a)ad.example.com originalADuidNumber uidNumber originalADgidNumber gidNumber
asq: Unable to register control with rootdse!
# record 1
dn: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb
originalADuidNumber: 55616902
originalADgidNumber: 55616902
uidNumber: 55616902
gidNumber: 55616902
$ ipa idoverrideuser-show "Default Trust View" user.name(a)ad.example.com
Anchor to override: user.name(a)ad.example.com
UID: 40001
GID: 40001
Home directory: /home/user.name
Login shell: /bin/bash
$ ldbsearch -H timestamps_ipa.example.com.ldb | less
dn: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb
objectCategory: user
originalModifyTimestamp: 20180823172515.0Z
entryUSN: 92632390
initgrExpireTimestamp: 1535133621
lastUpdate: 1535128235
dataExpireTimestamp: 1535133635
distinguishedName: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb
## DEBUG LOGS
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb] has set [ts_cache] attrs.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_print_server] (0x2000): Searching 172.20.23.190:389
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_add] (0x2000): New operation 32 timeout 6
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1080], connected[1], ops[(nil)], ldap[0x55f30a5d0f90]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a645310], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaanchoruuid=:SID:S-1-5-21-922099545-2851689246-2917073205-16902,cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaAnchorUUID]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaOriginalUid]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a645310], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_destructor] (0x2000): Operation 32 finished
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_done] (0x4000): Found override for object with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [uidNumber] with [40001] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x0080): Override attribute for [gidNumber] has more [2] than one value, using only the first.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [gidNumber] with [40001] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [homeDirectory] with [/home/user.name] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [loginShell] with [/bin/bash] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a6819a0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a681a60
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a6819a0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a681a60 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a6819a0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [safe_original_attributes] (0x4000): Original object does not have [sshPublicKey] set.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a683c50
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a683d10
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a683c50 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a683d10 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a683c50 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [uidNumber] of entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a68d1c0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a68d280
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a68d1c0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a68d280 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a68d1c0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb] has set [cache, ts_cache] attrs.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a68d330
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a688900
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a68d330 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a689320
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a6893e0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a688900 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a68d330 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a689320 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a634920
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a6349e0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a6893e0 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a689320 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a634920 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a6349e0 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a634920 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Processing group 0/1
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Fetching group S-1-5-21-922099545-2851689246-2917073205-20676
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_print_server] (0x2000): Searching 172.20.23.190:389
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_add] (0x2000): New operation 33 timeout 6
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a63f270], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a63f270], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_destructor] (0x2000): Operation 33 finished
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Processing group 1/1
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid.
## /etc/sssd/sssd.conf
[domain/ipa.example.com]
cache_credentials = True
krb5_store_password_if_offline = True
# krb5_realm = IPA.EXAMPLE.COM
ipa_domain = ipa.example.com
ipa_hostname = entl01.ipa.example.com
# Server Specific Settings
ipa_server = entl01.ipa.example.com
ipa_server_mode = True
subdomain_homedir = %o
fallback_homedir = /home/%u
default_shell = /bin/bash
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
domains = ipa.example.com
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,tomcat,activemq,informix,oracle,xdba,grid,dbadmin,weblogic,operator,postgres,devolog
memcache_timeout = 600
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
2 years, 4 months
Starting SSSD without root
by Tero Saarni
Hi,
I'm trying to run SSSD inside docker container without root user. The
container is executed in OpenShift cluster which does not allow running as root
inside container.
SSSD requires root and checks for this specifically.
Is there any workaround for this?
I believe the limitation is implemented for security reasons, in order to have
most critical parts executed as root and have it drop privileges for other
parts but this now completely blocks using SSSD in the above environment.
--
Tero
2 years, 8 months
fast tunnel and authentication indicator
by Abdelkader Chelouah
Hello,
I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication
indicator "*strong*".
$ cat kdc.conf
...
[otp]
softid = {
server = 192.168.0.68:1812
secret = /etc/.radius.secret
strip_realm = true
indicator = strong
#timeout = <integer> (default: 5 [seconds])
#retries = <integer> (default: 3)
}
The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice*
and *bob.*
$ kadmin.local getstrs alice
otp: [{"type":"softid"}]
$ kadmin.local getstrs bob
otp: [{"type":"softid"}
Alice's password was purged with the command
kadmin.local purgekeys -all alice
On the sssd host (RHEL 7.9), sssd service uses the following
configuration file
[sssd]
domains = DNS.PODMAN
services = nss,pam,ssh
config_file_version = 2
debug_level = 9
[nss]
filter_users = root
filter_groups = root
reconnection_retries = 3
entry_cache_nowait_percentage = 75
debug_level = 9
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[domain/DNS.PODMAN]
debug_level = 0x04000
id_provider = ldap
ldap_uri = ldaps://kerb.dns.podman:636/
ldap_search_base = dc=dns,dc=podman
ldap_schema = rfc2307bis
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_sasl_mech = gssapi
ldap_sasl_authid = sssd/sssd.dns.podman
ldap_krb5_keytab = /etc/sssd/sssd.keytab
ldap_krb5_init_creds = true
ldap_krb5_ticket_lifetime = 86400
ldap_user_search_base = ou=people,dc=dns,dc=podman
ldap_user_object_class = posixAccount
ldap_group_search_base = ou=groups,dc=dns,dc=podman
ldap_group_object_class = groupOfNames
ldap_group_gid_number = gidNumber
ldap_group_member = member
auth_provider = krb5
krb5_server = kerb.dns.podman
krb5_realm = DNS.PODMAN
cache_credentials = true
krb5_keytab = /etc/krb5.keytab
krb5_use_fast = try
krb5_fast_principal = host/sssd.dns.podman
min_id = 10000
max_id = 20000
#enumerate = False
enumerate = True
[ssh]
debug_level = 9
# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 host/sssd.dns.podman(a)DNS.PODMAN
2 host/sssd.dns.podman(a)DNS.PODMAN
2 host/sssd.dns.podman(a)DNS.PODMAN
2 host/sssd.dns.podman(a)DNS.PODMAN
2 host/sssd.dns.podman(a)DNS.PODMAN
2 host/sssd.dns.podman(a)DNS.PODMAN
The service principal host/sssd.dns.podman is configured to require the
"strong" authentication indicator value.
$ kadmin getstrs host/sssd.dns.podman
require_auth: strong
When ssh to the sssd host with *alice* account, authentication using otp
is working fine
[root@client /]# ssh alice@sssd
alice@sssd's password: <otp value>
Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman
[alice@sssd ~]
However, if I ssh to the sssd host with *bob* account, I can login with
bob's password even if the service principal host/sssd.dns.podman is
configured to require the "strong" authentication indicator value
[root@client /]# ssh bob@sssd
bob@sssd's password: <bob's password>
Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman
[bob@sssd ~]$
1. Why password authentication for bob principal succeeded while
authentication indicator is "strong" ?
2. Is it possible to configure sssd to enforce "otp" authentication ?
2 years, 10 months
select sssd method for authentication
by mbalembo
Hello,
I would like to configure pam_sss.so as to separate authentication methods ;
in my case i use both password and smartcard.
My problem is that when a smartcard is inserted, you can't use password
anymore because
it will prompt for the PIN and fail without fallback.
Ideally i'd like to configure pam/sssd/sddm to try the "password" as a
password, then try as a PIN for inserted smartcards.
Can i configure sssd to do that ?
My understanding in that even if you set pam_sss to/try_cert_auth/, it will
not fallback to password if a smartcard is inserted.
Thanks for your help,
Marc
2 years, 10 months
sssd taking long time to resolve some queries
by Sanjay Agrawal
We are noticing that sometimes sssd take very long to resolve some queries. They are happens when sssd_be is 100% during that interval. SO with debug_level 9 I tried to capture but I am see that no log update in sssd_be. Following is sample output from sssd_be log during this time interval. SO it is stuck in save_group ? The group in question here is very large group.
(2020-12-21 13:33:37:929203): [be[mydomain]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [member] of entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb]
(2020-12-21 13:33:38:018075): [be[mydomain]] [sysdb_set_entry_attr] (0x0200): Entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb] has set [cache, ts_cache] attrs.
(2020-12-21 13:33:38:018253): [be[mydomain]] [sdap_save_groups] (0x4000): Group 4 members processed!
--
(2020-12-21 14:18:13:015516): [be[mydomain]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [orig_member] of entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb]
(2020-12-21 14:18:13:040536): [be[mydomain]] [sysdb_set_entry_attr] (0x0200): Entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb] has set [cache, ts_cache] attrs.
(2020-12-21 14:18:13:040796): [be[mydomain]] [sdap_save_groups] (0x4000): Group 0 processed!
--
(2020-12-21 14:18:13:102591): [be[mydomain]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [member] of entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb]
(2020-12-21 14:18:18:782683): [be[mydomain]] [sysdb_set_entry_attr] (0x0200): Entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb] has set [cache, ts_cache] attrs.
(2020-12-21 14:18:18:783006): [be[mydomain]] [sdap_save_groups] (0x4000): Group 0 members processed!
--
(2020-12-21 14:23:13:013189): [be[mydomain]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [orig_member] of entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb]
(2020-12-21 14:23:13:037017): [be[mydomain]] [sysdb_set_entry_attr] (0x0200): Entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb] has set [cache, ts_cache] attrs.
(2020-12-21 14:23:13:037266): [be[mydomain]] [sdap_save_groups] (0x4000): Group 0 processed!
--
(2020-12-21 14:23:13:098968): [be[mydomain]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [member] of entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb]
(2020-12-21 14:23:13:765062): [be[mydomain]] [sysdb_set_entry_attr] (0x0200): Entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb] has set [cache, ts_cache] attrs.
(2020-12-21 14:23:13:765277): [be[mydomain]] [sdap_save_groups] (0x4000): Group 0 members processed!
--
(2020-12-21 15:16:01:151526): [be[mydomain]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [member] of entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb]
(2020-12-21 15:16:07:549879): [be[mydomain]] [sysdb_set_entry_attr] (0x0200): Entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb] has set [cache, ts_cache] attrs.
(2020-12-21 15:16:07:550229): [be[mydomain]] [sdap_save_groups] (0x4000): Group 0 members processed!
--
(2020-12-21 16:06:04:098209): [be[mydomain]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [member] of entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb]
(2020-12-21 16:06:09:528503): [be[mydomain]] [sysdb_set_entry_attr] (0x0200): Entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb] has set [cache, ts_cache] attrs.
(2020-12-21 16:06:09:528813): [be[mydomain]] [sdap_save_groups] (0x4000): Group 0 members processed!
--
(2020-12-21 16:38:13:017447): [be[mydomain]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [orig_member] of entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb]
(2020-12-21 16:38:13:043604): [be[mydomain]] [sysdb_set_entry_attr] (0x0200): Entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb] has set [cache, ts_cache] attrs.
(2020-12-21 16:38:13:043817): [be[mydomain]] [sdap_save_groups] (0x4000): Group 2 processed!
--
(2020-12-21 16:38:13:133200): [be[mydomain]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [member] of entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb]
(2020-12-21 16:38:16:725696): [be[mydomain]] [sysdb_set_entry_attr] (0x0200): Entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb] has set [cache, ts_cache] attrs.
(2020-12-21 16:38:16:726140): [be[mydomain]] [sdap_save_groups] (0x4000): Group 2 members processed!
--
(2020-12-21 17:26:22:880163): [be[mydomain]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [member] of entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb]
(2020-12-21 17:26:29:093140): [be[mydomain]] [sysdb_set_entry_attr] (0x0200): Entry [name=group1187@mydomain,cn=groups,cn=mydomain,cn=sysdb] has set [cache, ts_cache] attrs.
(2020-12-21 17:26:29:093619): [be[mydomain]] [sdap_save_groups] (0x4000): Group 0 members processed!
Any help is really appreciated.
Thanks,Sanjay Agrawal
2 years, 11 months
Authentication failing
by Orion Poplawski
My laptop has gotten itself into a bad state and won't let me log in:
(2020-12-29 12:32:37): [pam] [sss_cmd_get_version] (0x0200): Received client
version [3].
(2020-12-29 12:32:37): [pam] [sss_cmd_get_version] (0x0200): Offered version [3].
(2020-12-29 12:32:37): [pam] [pam_cmd_acct_mgmt] (0x0100): entering
pam_cmd_acct_mgmt
(2020-12-29 12:32:37): [pam] [sss_parse_name_for_domains] (0x0200): name
'orion' matched without domain, user is orion
(2020-12-29 12:32:37): [pam] [sss_parse_name_for_domains] (0x0200): using
default domain [ad.nwra.com]
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): domain: ad.nwra.com
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): user: orion
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): service: sshd
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): tty: ssh
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): ruser: not set
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): rhost: 10.10.20.7
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): authtok type: 0
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): newauthtok type: 0
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): priv: 1
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): cli_pid: 194899
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): logon name: orion
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): flags: 0
(2020-12-29 12:32:37): [pam] [sss_parse_name_for_domains] (0x0200): name
'orion' matched without domain, user is orion
(2020-12-29 12:32:37): [pam] [sss_parse_name_for_domains] (0x0200): using
default domain [ad.nwra.com]
(2020-12-29 12:32:37): [pam] [sss_parse_name_for_domains] (0x0200): name
'orion' matched without domain, user is orion
(2020-12-29 12:32:37): [pam] [sss_parse_name_for_domains] (0x0200): using
default domain [ad.nwra.com]
(2020-12-29 12:32:37): [pam] [cache_req_common_process_dp_reply] (0x0040): CR
#256: Could not get account info [1432158212]: SSSD is offline
(2020-12-29 12:32:37): [pam] [pam_dp_send_req] (0x0100): Sending request with
the following data:
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): domain: ad.nwra.com
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): user: orion(a)ad.nwra.com
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): service: sshd
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): tty: ssh
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): ruser: not set
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): rhost: 10.10.20.7
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): authtok type: 0
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): newauthtok type: 0
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): priv: 1
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): cli_pid: 194899
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): logon name: orion
(2020-12-29 12:32:37): [pam] [pam_print_data] (0x0100): flags: 0
(2020-12-29 12:32:37): [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
(2020-12-29 12:32:37): [pam] [pam_dp_send_req_done] (0x0020): PAM handler
failed [1432158212]: SSSD is offline
(2020-12-29 12:32:37): [pam] [filter_responses] (0x0100):
[pam_response_filter] not available, not fatal.
(2020-12-29 12:32:37): [pam] [pam_reply] (0x0200): blen: 28
(2020-12-29 12:32:37): [pam] [pam_reply] (0x0200): Returning [4]: System error
to the client
(2020-12-29 12:32:37): [pam] [client_recv] (0x0200): Client disconnected!
Users are in AD via trust. SSSD should not be offline...
(2020-12-29 11:05:35): [be[nwra.com]] [be_run_online_cb] (0x0080): Going
online. Running callbacks.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
2 years, 11 months
ldap_purge_cache_timeout - can this be disabled
by Sanjay Agrawal
Hi,
I found following article. and we think we are running into same issue. We are running sssd with RHEL 7.9. I have following questions -
1. Is this issue fixed with RHEL 7.9 ? 2. Is it possible to disable periodic run of purge. We basically dont want to purge in favor of performance improvement. 3. If so what is the downside of it. 4. How do I verify is this is impacting us. I see very high cpu every 3 hours. I thought this may be the cause.
1430415 – ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in
Thanks,Sanjay Agrawal
2 years, 11 months
