Re: KCM kerberos cache and su via smartcard
by Orion Poplawski
On 4/22/20 4:39 PM, Orion Poplawski wrote:
> Hello -
>
> I'm testing out the KCM kerberos cache on EL 7.8
> (sssd-kcm-1.16.4-37.el7_8.1.x86_64) and have found that when I su to
> another user using a smartcard (entering a PIN) I no longer receive a
> kerberos ticket. This worked when I was using the KEYRING cache type.
> Our users are in AD via a trust. I do get a ticket when I use my
> password to authenticate.
>
> Is this a known issue? I couldn't find any reports.
>
> - Orion
I think I found the appropriate ticket:
https://pagure.io/SSSD/sssd/issue/3903
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
3 years, 12 months
fallout from DNS failure
by Charles Hedrick
We just had to restart sssd on a large number of machines because we had a period of DNS failure. We’re using IPA as the backend. Faiures occurred on Centos 7 and 8 and Ubuntu 18.
I don’t necessarily expect everything to work when DNS is dead, but I did expect it t recover.
For the moment we’re adding entries to /etc/hosts on all of our systems for the IPA servers and our main file servers. Unfortunately DNS is run by the campus, so it’s not under our control.
3 years, 12 months
ID provider AD vs LDAP
by Michael Dahlberg
I'm attempting to setup SSSD using AD as the id provider. All the documentation that I've found results in the linux system joining the AD domain when configuring sssd in this manner. I would like to configure sssd running on RHEL to just do authorization (access_provider) against the AD domain and *not* actually join the AD domain. I assume that this would mean I should not set "access_provider = ad". Instead should this value be set to ldap?
If I configure sssd to use LDAP as the access provider, how would I address the Active Directory domain ad.example.com using the "ldap://" notation? Would there be any other changes that I would need to address in the sssd.conf examples that use ldap as the access provider?
3 years, 12 months
sssd v. 1.11.8
by Jannis Mann
Hi,
I hope you all head some nice days off.
I am running sssd successfully on 1.16.1 and on 1.13.4
Now I have a few old Ubuntu 14.04 machines and I cant get sssd running.
Basicially I have the same config as on 1.16.1 and 1.13.4 only threw some
parameters out that are not implemented in 1.11.8 yet.
I checked for every parameter I've used in the config if it is existing in
this very version and they do when I am not mistaken.
Error is:
(Tue Apr 14 08:43:39:879756 2020) [sssd] [sss_ini_get_config] (0x0010):
Failed to parse configuration. Error 5.
(Tue Apr 14 08:43:39:879806 2020) [sssd] [sss_ini_get_config] (0x0010):
Errors detected while parsing: /etc/sssd/sssd.conf
(Tue Apr 14 08:43:39:879893 2020) [sssd] [sss_ini_config_print_errors]
(0x0020): Error (5) on line 1: Equal sign is missing.
(Tue Apr 14 08:43:39:879913 2020) [sssd] [confdb_init_db] (0x0010): Failed
to load configuration
(Tue Apr 14 08:43:39:879942 2020) [sssd] [load_configuration] (0x0010):
ConfDB initialization has failed [Input/output error]
(Tue Apr 14 08:43:39:879981 2020) [sssd] [main] (0x0020): SSSD couldn't
load the configuration database.
I've found some bug report saying comments should start on the beginng of
the line which they are (I also removed all of them)
The first line obviously is [sssd] so I dont get where an equal sign should
be missing. Also as said the config is running on other versions aswell...
This is the config I am using for 1.11.8
[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = FOO
[nss]
default_shell = /bin/bash
override_homedir = /home/%d/%u
filter_users = root
filter_groups = root
debug_level = 7
[pam]
debug_level = 7
offline_credentials_expiration = 4
[domain/FOO]
debug_level = 7
case_sensitive = False
cache_credentials = True
account_cache_expiration = 4
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter = (xxx)
ldap_id_mapping = True
ldap_schema = ad
ldap_search_base = OU=xx,DC=xx,DC=xx
ldap_group_nesting_level = 1
ldap_use_tokengroups = False
ldap_tls_cacert = /etc/sssd/root-ca.crt
ldap_uri = ldaps://xxxx:636
ldap_default_bind_dn = CN=xxx
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok =
AAAQAGtLXaf5yvs2e00KaMiPq8/FPF/ks97V4TcQmNJGFgQ4xMvg8wSIy54PU7xP09Kf/Z2KcHvcAAQID
ignore_group_members = True
re_expression =
(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
4 years
Prompting Configuration Section - changing prompt problems
by Greg Skelton
Hey guess,
First off, this is great stuff.. I appreciate SSSD and what is can do for my small network.
https://docs.pagure.org/SSSD.sssd/design_pages/prompting_configuration.ht...
I've been reading this webpage and I've been retrying everything that I can think of for the configuration.
It's a read basic question, where would this go in my sssd.conf?
[prompting/password]
password_prompt = Active Directory Password:
I wanted to make sure my users know the linux server are asking for a AD password?
Anywhere I've put that bit of configuration sssctl config-check said it was wrong.
Any hints?
Many thanks
4 years
Heads up. Moving to github on April 8
by Pavel Březina
SSSD repository is currently spread over multiple places. We use Pagure
[1][2] to manage upstream issues and documentation and Github [3] as our
main development platform.
We chose to move only to a single platform to reduce number of tools we
use and to have everything at one place. We decided to move from Pagure
to Github.
There are several steps that needs to be done in order to achieve this
change but the most significant for our users and contributors is: We
will no longer accept new issues and pull request in Pagure and we will
kindly ask you to use Github instead.
I will disable issues and pull request on Pagure and enable issues on
Github on Wednesday, April 8.
Thank you.
Best regards,
Pavel.
[1] https://pagure.io/SSSD/sssd
[2] https://pagure.io/SSSD/docs
[3] https://github.com/SSSD/sssd
4 years
SSSD and SafeNet Etoken
by mbalembo
Hello,
I'm having trouble adding etoken support to SSSD/openldap on a gentoo.
I have setup nssdb in /etc/pki/nssdb and add Safenet library to access
etoken.
I can successfully get the certificate in token with :
# /usr/libexec/sssd/p11_child --pre --nssdb=/etc/pki/CA/
now, to sssd itself ;
I'm trying an ssh login, and the output on term is :
# ssh bar(a)example.com
Please enter smart card
Please enter smart card
Please enter smart card
bar(a)example.com: Permission denied (publickey,keyboard-interactive).
I can see in p11_child.log that, it use nssdb to (successfully !)
connect to the smartcard.
I can see the correct label, the correct subject.
The keyId is found (I don't understand why i need it and I'm not sure if
the value i picked is right ?)
Anyway, I get my uri, everything seem fine on this side.
Looking at sss_LDAP.log, i can see the request, everything look cool, i
got :
sssd.dataprovider.pamHandler: Success
On the other side, in sss_pam.log i can see the same request but it end
with :
[pam_dp_send_req_done] (0x0200): received: [28 (Module inconnu)][LDAP]
(..)
[pam_eval_prompting_config] (0x4000): No prompting configuration
found.
(Thu Apr 2 15:23:08 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 21
(Thu Apr 2 15:23:08 2020) [sssd[pam]] [pam_reply] (0x0200):
Returning [28]: Module inconnu to the client
(Thu Apr 2 15:23:08 2020) [sssd[pam]] [client_recv] (0x0200):
Client disconnected!
I'm confused at how to understand this.
The sssd.conf is attached.
Thanks,
Marc
4 years
