Change primary group
by Jannis Mann
Hi,
I've sssd running with ldap provider and therefore use a binding account.
In general everything works. I've a question regarding the primary group.
When I login with any user who I permitted to in the sssd.conf all users
have the Domain Users gorup as primary group.
So if I create a file with User a ownership is UserA:Domain\ Users
Same goes for UserB etc.
Can I have influence on the primary group of the sssd users? Because this
seems quite insecure for me. Because I use different permissions for
different users (configured via sudoers files). But if every user is in the
same group..
Thanks for your input!
Jannis
4 years, 1 month
https://pagure.io/SSSD/sssd/issue/3571
by TomK
Hey All,
Is there an example of how this bug is triggered?
https://pagure.io/SSSD/sssd/issue/3571
There's a BZ ntry but I can't access it. I'm not able to replicate this
or devise an acceptable scenario using a user/group combination to
trigger it.
So I'm wondering if there's an example AD user/group case that always
triggers this issue.
--
Thx,
4 years, 1 month
AD Users not found with error RefErr: DSID-03100781 in log
by Christoph.Kaunzner@sonydadc.com
Hi All,
I'm using sssd to authenticate users from AD and generally this works fine. However, I have one server that frequently can't resolve AD users:
[root@HOST ~]# id aduser(a)domain.com
id: aduser(a)domain.com: no such user
or:
[aduser@HOST ~]# crontab -l
crontab: your UID isn't in the passwd file.
bailing out.
Around that time I see errors like this in the log:
[sssd[be[domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-03100781, data 0, 1 access points
ref 1: 'Domain.com'
After a view minutes it works again.
What puzzles me is that I have 2 other servers with the same config using that same user which don't have any problem.
I'm running sssd- 1.16.4. 21.el7_7.1 on CentOS Linux release 7.7.1908 (Core)
This is my sssd.conf:
[sssd]
debug_level=9
sbus_timeout = 30
reconnection_retries = 3
services = nss, pam
config_file_version = 2
domains = domain.com
[pam]
debug_level=9
pam_verbosity = 3
reconnection_retries = 3
[nss]
debug_level=9
reconnection_retries = 3
[domain/domain.com]
debug_level=9
ad_site = SITE
use_fully_qualified_names = true
override_homedir = /home/%u
dyndns_update = false
ldap_schema = ad
id_provider = ad
ad_enabled_domains = sub.domain.com, domain.com
ad_gpo_access_control = disabled
case_sensitive = true
cache_credentials = true
min_id = 1000
ldap_id_mapping = False
ldap_group_nesting_level = 4
ldap_user_primary_group = gidNumber
ad_hostname = host.domain.com
ignore_group_members = TRUE
access_provider = simple
simple_allow_groups = group1@domain.com,group2@sub.domain.com,group3(a)sub.domain.com
Thank you,
Christoph
DISCLAIMER
The content of this email and any files transmitted with it may be confidential and intended solely for the use of the individual named. If you have received this email in error please let us know and delete the content from your system. You may NOT copy or disclose the information to anyone. We do not accept any liability if this email is used for an alternative purpose from which it is intended, nor to any third party in respect thereof. The sender does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.
Unless we have agreed otherwise in writing, Sony DADC’s Standard Terms and Conditions of Business will apply to any services and-or disc/home-entertainment related products we provide to you, our Consumer Sales General Conditions will apply to any consumer electronics products we supply to you and our General Conditions of Purchase will apply to any goods and/or services we purchase from you.
4 years, 1 month
Re: Can I map an LDAP value of 123456 to a user name of u123456 ?
by patrick.hush@comcast.net
Why on earth would you assign a numeric value to a uid? Just do a ldapmodify and replace the uid with a valid userid (eg. jsmith) and replace uidNumber with the previous value, then get rid of the:
ldap_user_uid_number = uid
ldap_user_gid_number = uid
stuff, you can do this in one ldif with
dn: uid=123456,ou=people,dc=example,dc=com
changetype: modify
replace uid, uidNumber
uid: jsmith
uidNumber: 123456
-
dn: uid=123458,ou=people,dc=example,dc=com
changetype: modify
replace uid, uidNumber
uid: foobar
uidNumber: 123458
-
(just keep going I'd do an export and work from that)
> On March 10, 2020 at 9:30 PM Michael Lake <Mike.Lake(a)uts.edu.au> wrote:
>
> Example user:
>
> uid: 123456
> mail: Mike.Lake(a)uts.edu.au mailto:Mike.Lake@uts.edu.au
> uidNumber: 200123456
>
> ________________________________________
> From: patrick.hush(a)comcast.net mailto:patrick.hush@comcast.net <patrick.hush(a)comcast.net>
> Sent: Wednesday, March 11, 2020 9:15 AM
> To: End-user discussions about the System Security Services Daemon
> Subject: [SSSD-users] Re: Can I map an LDAP value of 123456 to a user name of u123456 ?
>
> In LDAP what are the uidNumber and uid attributes for a sample user?
> On March 10, 2020 at 2:45 PM Michael Lake <Mike.Lake(a)uts.edu.au> wrote:
>
> Hi
>
> But I'd still have the problem that my UNIX username needs to be POSIX compliant. So if my number is 123456 and my email is Mike.Lake(a)uts.edu.au<mailto:Mike.Lake@uts.edu.au> I dont want the actual UNIX username to be an email address with an @ in it. Complicates all sorts of scripts. A username of u123456 is simple.
> Hence being able to just set that using sssd would be simplest if it can be done.
> Slightly more hassle is getting the LDAP changed or a writing a PAM module so change the login.
>
> Hence I'd ask if there is something simpler first.
>
> Mike
> ________________________________________
> From: Pavel Březina <pbrezina(a)redhat.com>
> Sent: Wednesday, March 11, 2020 2:31 AM
> To: Michael Lake; End-user discussions about the System Security Services Daemon
> Subject: Re: [SSSD-users] Can I map an LDAP value of 123456 to a user name of u123456 ?
>
> On 3/10/20 1:53 PM, Michael Lake wrote:
> > Pavel suggested:
> > > How about using fully qualified names instead?
> >
> > I'm not very familiar with LDAP. I'm not sure what that would actually
> > look like.
> >
> > What we have now is where users login to a terminal using their number.
> > However with web based logins they do use their email address.
> >
> > I'd have to check tomorrow in the LDAP and check what a fully qualified
> > name actually is.
>
> Fully qualified name is a name in the form of user@domain. I.e. if you
> have [domain/mydomain] in /etc/sssd/sssd.conf the fully qualified name
> will be number@mydomain.
>
> If they are used to login with their email address, you could also
> switch name attribute to the email address attribute if it is in LDAP.
>
> See ldap_user_name in `man sssd-ldap` and use_fully_qualified_names and
> full_name_format in `man sssd.conf`.
>
> > Mike
> >
> > ________________________________________
> > From: Pavel Březina <pbrezina(a)redhat.com>
> > Sent: Tuesday, March 10, 2020 11:33 PM
> > To: End-user discussions about the System Security Services Daemon;
> > Michael Lake
> > Subject: Re: [SSSD-users] Can I map an LDAP value of 123456 to a user
> > name of u123456 ?
> >
> > On 3/10/20 5:11 AM, Michael Lake wrote:
> > > Hi all
> > >
> > > I am currently authenticating users with Centos 6 and sssd to an LDAP
> > > server. I'll be moving to a Centos 8 so have setup sssd to authenticate
> > > to the LDAP server on my test Centos 8 box. However, our users in our
> > > LDAP only contains all numeric identifiers for users. Centos 8 no longer
> > > accepts all numeric user names and group names
> > >
> > > Currently my sssd.conf contains:
> > >
> > > ldap_user_uid_number = uid
> > > ldap_user_gid_number = uid
> > > override_homedir = /homes/%u
> > >
> > > Our LDAP server contains "uid" values for users like "123456"
> > >
> > > I'll still be able to use the LDAP "uid" for UNIX uid and gid but what
> > > I would like to be able to do is have the user name (and group name)
> > > created by prefixing the LDAP "uid" values with a literal "u" to make
> > > them POSIX compliant.
> > >
> > > Hence a user 123456 with "uid" of 123456 in LDAP can login and end up
> > > with a username of "u123456".
> > > I can't see a way to do that with a simple template in the "man
> > > ssd.conf"
> >
> > How about using fully qualified names instead?
> >
> > UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any
> > accompanying attachments may contain confidential information. If you
> > are not the intended recipient, do not read, use, disseminate,
> > distribute or copy this message or attachments. If you have received
> > this message in error, please notify the sender immediately and delete
> > this message. Any views expressed in this message are those of the
> > individual sender, except where the sender expressly, and with
> > authority, states them to be the views of the University of Technology
> > Sydney. Before opening any attachments, please check them for viruses
> > and defects. Think. Green. Do. Please consider the environment before
> > printing this email.
>
> UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. Think. Green. Do. Please consider the environment before printing this email.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org mailto:sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/< https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines< https://fedoraproject.org/wiki/Mailing_list_guidelines>
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...< https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...>
>
>
> UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. Think. Green. Do. Please consider the environment before printing this email.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
4 years, 1 month
Re: Can I map an LDAP value of 123456 to a user name of u123456 ?
by patrick.hush@comcast.net
In LDAP what are the uidNumber and uid attributes for a sample user?
> On March 10, 2020 at 2:45 PM Michael Lake <Mike.Lake(a)uts.edu.au> wrote:
>
> Hi
>
> But I'd still have the problem that my UNIX username needs to be POSIX compliant. So if my number is 123456 and my email is Mike.Lake(a)uts.edu.au mailto:Mike.Lake@uts.edu.au I dont want the actual UNIX username to be an email address with an @ in it. Complicates all sorts of scripts. A username of u123456 is simple.
> Hence being able to just set that using sssd would be simplest if it can be done.
> Slightly more hassle is getting the LDAP changed or a writing a PAM module so change the login.
>
> Hence I'd ask if there is something simpler first.
>
> Mike
> ________________________________________
> From: Pavel Březina <pbrezina(a)redhat.com>
> Sent: Wednesday, March 11, 2020 2:31 AM
> To: Michael Lake; End-user discussions about the System Security Services Daemon
> Subject: Re: [SSSD-users] Can I map an LDAP value of 123456 to a user name of u123456 ?
>
> On 3/10/20 1:53 PM, Michael Lake wrote:
> > Pavel suggested:
> > > How about using fully qualified names instead?
> >
> > I'm not very familiar with LDAP. I'm not sure what that would actually
> > look like.
> >
> > What we have now is where users login to a terminal using their number.
> > However with web based logins they do use their email address.
> >
> > I'd have to check tomorrow in the LDAP and check what a fully qualified
> > name actually is.
>
> Fully qualified name is a name in the form of user@domain. I.e. if you
> have [domain/mydomain] in /etc/sssd/sssd.conf the fully qualified name
> will be number@mydomain.
>
> If they are used to login with their email address, you could also
> switch name attribute to the email address attribute if it is in LDAP.
>
> See ldap_user_name in `man sssd-ldap` and use_fully_qualified_names and
> full_name_format in `man sssd.conf`.
>
> > Mike
> >
> > ________________________________________
> > From: Pavel Březina <pbrezina(a)redhat.com>
> > Sent: Tuesday, March 10, 2020 11:33 PM
> > To: End-user discussions about the System Security Services Daemon;
> > Michael Lake
> > Subject: Re: [SSSD-users] Can I map an LDAP value of 123456 to a user
> > name of u123456 ?
> >
> > On 3/10/20 5:11 AM, Michael Lake wrote:
> > > Hi all
> > >
> > > I am currently authenticating users with Centos 6 and sssd to an LDAP
> > > server. I'll be moving to a Centos 8 so have setup sssd to authenticate
> > > to the LDAP server on my test Centos 8 box. However, our users in our
> > > LDAP only contains all numeric identifiers for users. Centos 8 no longer
> > > accepts all numeric user names and group names
> > >
> > > Currently my sssd.conf contains:
> > >
> > > ldap_user_uid_number = uid
> > > ldap_user_gid_number = uid
> > > override_homedir = /homes/%u
> > >
> > > Our LDAP server contains "uid" values for users like "123456"
> > >
> > > I'll still be able to use the LDAP "uid" for UNIX uid and gid but what
> > > I would like to be able to do is have the user name (and group name)
> > > created by prefixing the LDAP "uid" values with a literal "u" to make
> > > them POSIX compliant.
> > >
> > > Hence a user 123456 with "uid" of 123456 in LDAP can login and end up
> > > with a username of "u123456".
> > > I can't see a way to do that with a simple template in the "man
> > > ssd.conf"
> >
> > How about using fully qualified names instead?
> >
> > UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any
> > accompanying attachments may contain confidential information. If you
> > are not the intended recipient, do not read, use, disseminate,
> > distribute or copy this message or attachments. If you have received
> > this message in error, please notify the sender immediately and delete
> > this message. Any views expressed in this message are those of the
> > individual sender, except where the sender expressly, and with
> > authority, states them to be the views of the University of Technology
> > Sydney. Before opening any attachments, please check them for viruses
> > and defects. Think. Green. Do. Please consider the environment before
> > printing this email.
>
> UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. Think. Green. Do. Please consider the environment before printing this email.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
4 years, 1 month
Re: Can I map an LDAP value of 123456 to a user name of u123456 ?
by Pavel Březina
On 3/10/20 1:53 PM, Michael Lake wrote:
> Pavel suggested:
> > How about using fully qualified names instead?
>
> I'm not very familiar with LDAP. I'm not sure what that would actually
> look like.
>
> What we have now is where users login to a terminal using their number.
> However with web based logins they do use their email address.
>
> I'd have to check tomorrow in the LDAP and check what a fully qualified
> name actually is.
Fully qualified name is a name in the form of user@domain. I.e. if you
have [domain/mydomain] in /etc/sssd/sssd.conf the fully qualified name
will be number@mydomain.
If they are used to login with their email address, you could also
switch name attribute to the email address attribute if it is in LDAP.
See ldap_user_name in `man sssd-ldap` and use_fully_qualified_names and
full_name_format in `man sssd.conf`.
> Mike
>
> ________________________________________
> From: Pavel Březina <pbrezina(a)redhat.com>
> Sent: Tuesday, March 10, 2020 11:33 PM
> To: End-user discussions about the System Security Services Daemon;
> Michael Lake
> Subject: Re: [SSSD-users] Can I map an LDAP value of 123456 to a user
> name of u123456 ?
>
> On 3/10/20 5:11 AM, Michael Lake wrote:
> > Hi all
> >
> > I am currently authenticating users with Centos 6 and sssd to an LDAP
> > server. I'll be moving to a Centos 8 so have setup sssd to authenticate
> > to the LDAP server on my test Centos 8 box. However, our users in our
> > LDAP only contains all numeric identifiers for users. Centos 8 no longer
> > accepts all numeric user names and group names
> >
> > Currently my sssd.conf contains:
> >
> > ldap_user_uid_number = uid
> > ldap_user_gid_number = uid
> > override_homedir = /homes/%u
> >
> > Our LDAP server contains "uid" values for users like "123456"
> >
> > I'll still be able to use the LDAP "uid" for UNIX uid and gid but what
> > I would like to be able to do is have the user name (and group name)
> > created by prefixing the LDAP "uid" values with a literal "u" to make
> > them POSIX compliant.
> >
> > Hence a user 123456 with "uid" of 123456 in LDAP can login and end up
> > with a username of "u123456".
> > I can't see a way to do that with a simple template in the "man
> > ssd.conf"
>
> How about using fully qualified names instead?
>
> UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any
> accompanying attachments may contain confidential information. If you
> are not the intended recipient, do not read, use, disseminate,
> distribute or copy this message or attachments. If you have received
> this message in error, please notify the sender immediately and delete
> this message. Any views expressed in this message are those of the
> individual sender, except where the sender expressly, and with
> authority, states them to be the views of the University of Technology
> Sydney. Before opening any attachments, please check them for viruses
> and defects. Think. Green. Do. Please consider the environment before
> printing this email.
4 years, 1 month
Can I map an LDAP value of 123456 to a user name of u123456 ?
by Michael Lake
Hi all
I am currently authenticating users with Centos 6 and sssd to an LDAP
server. I'll be moving to a Centos 8 so have setup sssd to authenticate
to the LDAP server on my test Centos 8 box. However, our users in our
LDAP only contains all numeric identifiers for users. Centos 8 no longer accepts all numeric user names and group names
Currently my sssd.conf contains:
ldap_user_uid_number = uid
ldap_user_gid_number = uid
override_homedir = /homes/%u
Our LDAP server contains "uid" values for users like "123456"
I'll still be able to use the LDAP "uid" for UNIX uid and gid but what
I would like to be able to do is have the user name (and group name)
created by prefixing the LDAP "uid" values with a literal "u" to make
them POSIX compliant.
Hence a user 123456 with "uid" of 123456 in LDAP can login and end up
with a username of "u123456".
I can't see a way to do that with a simple template in the "man
ssd.conf"
Mike Lake
UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. Think. Green. Do. Please consider the environment before printing this email.
4 years, 1 month