May 2020 - sssd-users - Fedora Mailing-Lists

by zfnoctis＠gmail.com

Hi, I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases. Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment. Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows. Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems. I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways. Thanks for your time.

1 year, 4 months

6
29
3 / 0

ID Views for IPA ID Views for AD users inconsistent resolution

by Louis Abel

I didn't get a response in #sssd, so I figured I'll try here at the mail list. # rpm -q sssd ipa-server sssd-1.16.0-19.el7_5.5.x86_64 ipa-server-4.5.4-10.el7_5.3.x86_64 I've been scratching my head trying to resolve this particular issue. I'm having issues with AD users where when they login, they'll get the UID/GID assigned in the ID views correctly, but only some of the time. Other times, they won't get the id view assigned to them. This is all done in the default trust view. What makes this issue even more interesting is that out of my 6 domain controllers, sometimes it'll be one server out of the six that does it, sometimes it's two. But it's never the same ones, so it's difficult to track the particular issue down. What's even more interesting is this is not occurring with some users (like my own). I have yet to see it occur with my account or even the rest of my team's accounts. One of the things I tried to do is delete the ID views of the offending users and recreate them to no avail. I put SSSD into debug mode on the IPA servers and tried to get some relevant logs and such to try and figure this out. Below is my SSSD configuration, ldb info, and debug logs (removing private information where possible). I'm trying to determine if this is either a bug within SSSD or if this is a misconfiguration on my part. $ ldbsearch -H cache_ipa.example.com.ldb name=user.name(a)ad.example.com originalADuidNumber uidNumber originalADgidNumber gidNumber asq: Unable to register control with rootdse! # record 1 dn: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb originalADuidNumber: 55616902 originalADgidNumber: 55616902 uidNumber: 55616902 gidNumber: 55616902 $ ipa idoverrideuser-show "Default Trust View" user.name(a)ad.example.com Anchor to override: user.name(a)ad.example.com UID: 40001 GID: 40001 Home directory: /home/user.name Login shell: /bin/bash $ ldbsearch -H timestamps_ipa.example.com.ldb | less dn: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb objectCategory: user originalModifyTimestamp: 20180823172515.0Z entryUSN: 92632390 initgrExpireTimestamp: 1535133621 lastUpdate: 1535128235 dataExpireTimestamp: 1535133635 distinguishedName: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb ## DEBUG LOGS (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb] has set [ts_cache] attrs. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))]. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_print_server] (0x2000): Searching 172.20.23.190:389 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com]. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_add] (0x2000): New operation 32 timeout 6 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1080], connected[1], ops[(nil)], ldap[0x55f30a5d0f90] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a645310], ldap[0x55f30a5ce320] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaanchoruuid=:SID:S-1-5-21-922099545-2851689246-2917073205-16902,cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com]. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaAnchorUUID] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaOriginalUid] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a645310], ldap[0x55f30a5ce320] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_destructor] (0x2000): Operation 32 finished (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_done] (0x4000): Found override for object with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))]. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [uidNumber] with [40001] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb]. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x0080): Override attribute for [gidNumber] has more [2] than one value, using only the first. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [gidNumber] with [40001] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb]. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [homeDirectory] with [/home/user.name] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb]. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [loginShell] with [/bin/bash] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb]. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a6819a0 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a681a60 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a6819a0 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a681a60 "ltdb_timeout" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a6819a0 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [safe_original_attributes] (0x4000): Original object does not have [sshPublicKey] set. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a683c50 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a683d10 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a683c50 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a683d10 "ltdb_timeout" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a683c50 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [uidNumber] of entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a68d1c0 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a68d280 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a68d1c0 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a68d280 "ltdb_timeout" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a68d1c0 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb] has set [cache, ts_cache] attrs. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a68d330 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a688900 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a68d330 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a689320 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a6893e0 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a688900 "ltdb_timeout" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a68d330 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a689320 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a634920 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a6349e0 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a6893e0 "ltdb_timeout" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a689320 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a634920 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a6349e0 "ltdb_timeout" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a634920 "ltdb_callback" (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Processing group 0/1 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Fetching group S-1-5-21-922099545-2851689246-2917073205-20676 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))]. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_print_server] (0x2000): Searching 172.20.23.190:389 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com]. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_add] (0x2000): New operation 33 timeout 6 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a63f270], ldap[0x55f30a5ce320] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a63f270], ldap[0x55f30a5ce320] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_destructor] (0x2000): Operation 33 finished (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))]. (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Processing group 1/1 (Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid. ## /etc/sssd/sssd.conf [domain/ipa.example.com] cache_credentials = True krb5_store_password_if_offline = True # krb5_realm = IPA.EXAMPLE.COM ipa_domain = ipa.example.com ipa_hostname = entl01.ipa.example.com # Server Specific Settings ipa_server = entl01.ipa.example.com ipa_server_mode = True subdomain_homedir = %o fallback_homedir = /home/%u default_shell = /bin/bash id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh domains = ipa.example.com [nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,tomcat,activemq,informix,oracle,xdba,grid,dbadmin,weblogic,operator,postgres,devolog memcache_timeout = 600 homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp]

1 year, 10 months

2
1
0 / 0

sssd-krb5, krb5_ccachedir, DIR-cache-store...

by Jostein Fossheim

We are working with several kerberos-REALMS and are trying to get our clients to store their kerberos tickets in a DIRECTORY. This seems to work nicely for clients not authenticating at login, with the following configuration set in /etc/krb5.conf. ... [libdefaults] ... default_ccache_name = DIR:/tmp/krb5cc_%{uid} ... user@server:~$ klist Ticket cache: DIR::/tmp/krb5cc_888/tkt Default principal: user@REALM Valid starting Expires Service principal 09/22/19 17:35:50 09/23/19 17:35:48 krbtgt/user@REALM Each ticket is stored in a separate file. For clients using sssd for login, I want to set up the same behavior. But when I attempt to login the system creates an "/tmp/krb5cc_${UiD}" - but here the directory don't get the excutable bit set (that is the directory get 0600-permission), and the login fails. In the man-page from Debian-buster (sssd-version: 1.16.3), there are to settings that seems to regulate this behaviour : krb5_ccachedir (string) Directory to store credential caches. All the substitution sequences of krb5_ccname_template can be used here, too, except %d and %P. The directory is created as private and owned by the user, with permissions set to 0700. Default: /tmp krb5_ccname_template (string) Location of the user's credential cache. Three credential cache types are currently supported: "FILE", "DIR" and "KEYRING:persistent". The cache can be specified either as TYPE:RESIDUAL, or as an absolute path, which implies the "FILE" type. In the template, the following sequences are substituted: [...] If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe way. When using KEYRING types, the only supported mechanism is "KEYRING:persistent:%U", which uses the Linux kernel keyring to store credentials on a per-UID basis. This is also the recommended choice, as it is the most secure and predictable method. The default value for the credential cache name is sourced from the profile stored in the system wide krb5.conf configuration file in the [libdefaults] section. The option name is default_ccache_name. See krb5.conf(5)'s PARAMETER EXPANSION paragraph for additional information on the expansion format defined by krb5.conf. NOTE: Please be aware that libkrb5 ccache expansion template from krb5.conf(5) uses different expansion sequences than SSSD. Default: (from libkrb5) ... I have tried to both set and unset, the two parameters in question like this: krb5_ccachedir = /tmp/krb5cc_%U krb5_ccname_template = DIR: %d krb5_ccname_template = DIR:%d/krb5cc_%U_XXXXXX But the configuration-options seems to be ignored, no matter what I do, and I have the same behavior: A non-executable directory is created and the user is unable to login. If I set the +x bit on the directory manually as the root-user, everything works.

2 years, 5 months

4
5
0 / 0

sssd with samba

by Edouard Guigné

Dear sssd users, I would like to get informations about the use of sssd with samba (centos 7, samba 4.8.3). I need it because I configured a samba share, accessible with sssd. The authentication is against a windows AD. My /etc/nsswitch.cnf is configured only with sssd : /passwd: files sss// //shadow: files sss// //group: files sss/ For an other purpose, I set an sftpd access also configured with sssd against the AD. I followed some discussions on the samba user list about samba + sssd. I would like to understand if there are some issues with sssd and samba 4.8.3 on centos 7 ? Or is it with next RHEL 8 ? /The RHEL 8 documentation states this: // //// //"Red Hat only supports running Samba as a server with the winbindd // //service to provide domain users and groups to the local system. Due to // //certain limitations, such as missing Windows access control list (ACL) // //support and NT LAN Manager (NTLM) fallback, SSSD is not supported." // //// //https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers//// //// //What's confusing is that the RHEL 7 documentation says: // //// //"Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this // //functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer // //need to run Winbind and SSSD in parallel to access SMB shares. For // //example, accessing the Access Control Lists (ACLs) no longer requires // //Winbind on SSSD clients." // //// //and // //// //"4.2.2. Determining Whether to Use SSSD or Winbind for SMB Shares // //For most SSSD clients, using SSSD is recommended:" // //// //and most worrisome, in my use case: // //// //"In environments with direct Active Directory integration where the // //clients use SSSD for general Active Directory user mappings, using // //Winbind for the SMB ID mapping instead of SSSD can result in // //inconsistent mapping." / In my case, running samba 4.8.3 with SSSD on centos 7 do I need to : - enable and start winbind service , in conjunction to sssd ? - or only sssd is enough with samba ? - Do I have to fear issues in next release of sssd for the support of samba ? especially for acls support ?/ / A nsswitch.conf like : passwd: files sss winbind shadow: files sss winbind group: files sss winbind or passwd: files winbind sss shadow: files winbind sss group: files winbind sss Does not seem to work... I test and this is not stable. Best Regards, Edouard

2 years, 6 months

5
6
0 / 0

System error when trying to login into an AD after upgrading to Samba 4.12.2

by Thibault Boyeux

Hi all, I'm encountering an issue after upgrading to Samba 4.12.2. I can no longer login with an Active Directory account from a terminal or gnome. I'm prompted with a "System error" message. When I downgrade to samba 4.11.3 everything works fine. AD authentication works OK with the same account from a Windows machine. "getent passwd my_username" works well, as "getent passwd <group>". kinit my_username(a)DOMAIN.NET works OK too. Logging in in with "su <username>" from a local account works too. SSSD version: 2.2.3. This is from an Arch Linux package, that has been patched <https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/sssd> by its maintainer for compatibility with Samba 4.12 (I also compiled sssd from the current git source code, but encountered the same cryptic error.) Samba version: 4.12.2 Operating system: Arch Linux (fully upgraded) Any idea how I could fix this / investigate this further? Please find sssd.conf and logs below - I couldn't find anything interesting in there but I'm no expert :) Thanks a lot! === sssd.conf === [sssd] config_file_version = 2 domains = domain.net services = nss, pam debug_level = 6 [domain/domain.net] ad_hostname = computer.domain.net krb5_realm = DOMAIN.NET cache_credentials = true id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad ldap_schema = ad default_shell = /bin/zsh fallback_homedir = /home/DOMAIN/%u dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600 debug_level = 6 #enumerate = true [pam] debug_level = 6 [nss] debug_level = 6 === sssd_domain.net.log === (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_get_account_info_send] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=my_username(a)domain.net] (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400): DP Request [Initgroups #17]: New request. Flags [0x0001]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=domain,DC=net] (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=my_username)(objectclass=user)(objectSID=*))][DC=domain,DC=net]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user] (0x0400): Save user (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_primary_name] (0x0400): Processing object MY_USERNAME (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user] (0x0400): Processing user MY_USERNAME(a)domain.net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [MY_USERNAME(a)domain.net]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user] (0x0400): Adding user principal [MY_USERNAME(a)DOMAIN.NET] to attributes of [ MY_USERNAME(a)domain.net]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user] (0x0400): Storing info for user MY_USERNAME(a)domain.net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr] (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb] has set [ts_cache] attrs. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_store_user] (0x0400): User "MY_USERNAME(a)domain.net" has been stored (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=My Username,OU=Users,DC=domain,DC=net]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_idmap_sid_to_unix] (0x0400): Object SID [S-1-5-32-545] is a built-in one. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping built-in object. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_initgr_done] (0x0400): Primary group already cached, nothing to do. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done] (0x0400): DP Request [Initgroups #17]: Request handler finished [0]: Success (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv] (0x0400): DP Request [Initgroups #17]: Receiving request data. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor] (0x0400): DP Request [Initgroups #17]: Request removed. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_get_account_info_initgroups_step] (0x0400): Ordering NSS responder to update memory cache (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr] (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb] has set [ts_cache] attrs. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send] (0x0100): Got request with the following data (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): domain: domain.net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): user: MY_USERNAME(a)domain.net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): service: login (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): tty: tty4 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): ruser: (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): rhost: (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): authtok type: 1 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): priv: 1 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): cli_pid: 70306 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): logon name: not set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): flags: 0 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400): DP Request [PAM Authenticate #18]: New request. Flags [0000]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [krb5_auth_send] (0x0100): Domain directory for user [MY_USERNAME(a)domain.net] not known. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [be_resolve_server_process] (0x0200): Found address for server ADDC.domain.net: [192.168.5.4] TTL 900 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [child_sig_handler] (0x0100): child [71170] finished successfully. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ADDC.domain.net' as 'working' (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [set_server_common_status] (0x0100): Marking server 'ADDC.domain.net' as 'working' (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ADDC.domain.net' as 'working' (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr] (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb] has set [cache, ts_cache] attrs. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr] (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb] has set [cache, ts_cache] attrs. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #18]: Request handler finished [0]: Success (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #18]: Receiving request data. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #18]: Request removed. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled] (0x0400): Target selinux is not configured (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send] (0x0100): Got request with the following data (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): domain: domain.net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): user: MY_USERNAME(a)domain.net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): service: login (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): tty: tty4 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): ruser: (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): rhost: (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): authtok type: 0 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): priv: 1 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): cli_pid: 70306 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): logon name: not set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data] (0x0100): flags: 0 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400): DP Request [PAM Account #19]: New request. Flags [0000]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_access_send] (0x0400): Performing access check for user [MY_USERNAME(a)domain.net] (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [MY_USERNAME(a)domain.net] (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_send] (0x0400): service login maps to Interactive (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_connect_done] (0x0400): sam_account_name is COMPUTER$ (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(sAMAccountName=COMPUTER$))][dc=domain,dc=net]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=domain][DC=domain,DC=net]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_master_domain_next_done] (0x0400): Found SID [S-1-5-21-3635097336-3991203712-2063481127]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=domain.net)(NtVer=\14\00\00\00))][]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_master_domain_netlogon_done] (0x0400): Found flat name [DOMAIN]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_master_domain_netlogon_done] (0x0400): Found site [Domain]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_master_domain_netlogon_done] (0x0400): Found forest [domain.net]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_site_name_retrieval_done] (0x0400): Using AD site 'cn=Domain'. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Computers,DC=domain,DC=net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is DC=domain,DC=net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][OU=Computers,DC=domain,DC=net]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Computers,DC=domain,DC=net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][DC=domain,DC=net]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=domain,DC=net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={6FF5E2F5-D491-45A1-9432-5AB497AEF031},cn=policies,cn=system,DC=domain,DC=net (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_sd_search_send] (0x0400): Searching entry [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net] using SD (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net]. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_parse_sd] (0x0020): Failed to pull security descriptor (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_sd_process_attrs] (0x0040): ad_gpo_parse_sd() failed (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_process_gpo_done] (0x0040): Unable to get GPO list: [22](Invalid argument) (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done] (0x0400): DP Request [PAM Account #19]: Request handler finished [0]: Success (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #19]: Receiving request data. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #19]: Request removed. (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled] (0x0400): Target selinux is not configured (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success === sssd_pam.log ==== (Fri May 8 15:10:10 2020) [sssd[pam]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled: SELINUX_getpeercon failed [95][Operation not supported]. Please, consider enabling SELinux in your system. (Fri May 8 15:10:10 2020) [sssd[pam]] [accept_fd_handler] (0x0400): Client [0x5606d6371860][19] connected to privileged pipe! (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'my_username' matched without domain, user is my_username (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user: my_username (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service: login (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 70306 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon name: my_username (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #12: New request 'Initgroups by name' (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input] (0x0400): CR #12: Parsing input name [my_username] (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'my_username' matched without domain, user is my_username (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR #12: Setting name [my_username] (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains] (0x0400): CR #12: Performing a multi-domain search (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains] (0x0400): CR #12: Search will bypass the cache and check the data provider (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400): CR #12: Using domain [domain.net] (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data] (0x0400): CR #12: Preparing input data for domain [domain.net] rules (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400): CR #12: Looking up my_username(a)domain.net (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400): CR #12: Checking negative cache for [my_username(a)domain.net] (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400): CR #12: [my_username(a)domain.net] is not present in negative cache (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_dp] (0x0400): CR #12: Looking up [my_username(a)domain.net] in data provider (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_dp_get_account_send] (0x0400): Creating request for [domain.net ][0x3][BE_REQ_INITGROUPS][name=my_username@domain.net:-] (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400): CR #12: Looking up [my_username(a)domain.net] in cache (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter] (0x0400): CR #12: This request type does not support filtering result by negative cache (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_done] (0x0400): CR #12: Returning updated object [my_username(a)domain.net] (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result] (0x0400): CR #12: Found 4 entries in domain domain.net (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #12: Finished: Success (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is my_username(a)domain.net (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.net (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user: my_username(a)domain.net (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service: login (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 70306 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon name: my_username (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200): received: [0 (Success)][domain.net] (Fri May 8 15:10:10 2020) [sssd[pam]] [sysdb_set_entry_attr] (0x0200): Entry [name=my_username(a)domain.net,cn=users,cn=domain.net,cn=sysdb] has set [cache, ts_cache] attrs. (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 85 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning [0]: Success to the client (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'my_username' matched without domain, user is my_username (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user: my_username (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service: login (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 70306 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon name: my_username (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #13: New request 'Initgroups by name' (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input] (0x0400): CR #13: Parsing input name [my_username] (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'my_username' matched without domain, user is my_username (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR #13: Setting name [my_username] (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains] (0x0400): CR #13: Performing a multi-domain search (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains] (0x0400): CR #13: Search will check the cache and check the data provider (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400): CR #13: Using domain [domain.net] (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data] (0x0400): CR #13: Preparing input data for domain [domain.net] rules (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400): CR #13: Looking up my_username(a)domain.net (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400): CR #13: Checking negative cache for [my_username(a)domain.net] (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400): CR #13: [my_username(a)domain.net] is not present in negative cache (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400): CR #13: Looking up [my_username(a)domain.net] in cache (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400): CR #13: Returning [my_username(a)domain.net] from cache (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter] (0x0400): CR #13: This request type does not support filtering result by negative cache (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result] (0x0400): CR #13: Found 4 entries in domain domain.net (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #13: Finished: Success (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is my_username(a)domain.net (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.net (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user: my_username(a)domain.net (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service: login (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 70306 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon name: my_username (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200): received: [4 (System error)][domain.net] (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 31 (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning [4]: System error to the client (Fri May 8 15:10:10 2020) [sssd[pam]] [client_recv] (0x0200): Client disconnected!

3 years

3
7
0 / 0

SSSD has moved to Github

by Pavel Březina

I'm glad to announced that we have finished our migration to Github. The repository and documentation on Pagure is no longer used. The code is available at https://github.com/SSSD/sssd and documentation at https://sssd.io.

3 years

1
0
0 / 0

High CPU usage in sssd_autofs running Chef knife

by John Beranek

So, recently noticed an issue, which I think is new. Fedora 32 sssd 2.3.0 - configured for AD, including sudo and autofs I found that when Chef's "knife" command (from Chef Workstation 0.3.2) is run, the command takes a very long time to run, and in top sssd_be and sssd_autofs use a lot of CPU. e.g. PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 17579 root 20 0 259196 32220 9340 S 28.2 0.4 0:18.62 sssd_autofs 17575 root 20 0 346320 25276 21672 S 24.3 0.3 0:16.54 sssd_be Turned debug up to 9 for the autofs module and what looked apparent to me was the following, from one run of 'knife': ]# grep "not found in cache" sssd_autofs.log |wc -l 53144 # grep "not found in cache" sssd_autofs.log |head -n 20 (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15184: Object [auto.home] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15184: Object [auto.home] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15185: Object [auto.home:gem.deps.rb] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15185: Object [auto.home:gem.deps.rb] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15185: Object [auto.home:gem.deps.rb] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15185: Object [auto.home:gem.deps.rb] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15186: Object [auto.home:/] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15186: Object [auto.home:/] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15186: Object [auto.home:/] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15186: Object [auto.home:/] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15187: Object [auto.home:*] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15187: Object [auto.home:*] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15187: Object [auto.home:*] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15187: Object [auto.home:*] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15188: Object [auto.home] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15188: Object [auto.home] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15189: Object [auto.home:gems.rb] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15189: Object [auto.home:gems.rb] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15189: Object [auto.home:gems.rb] was not found in cache (2020-05-27 16:19:24): [autofs] [cache_req_search_cache] (0x0400): CR #15189: Object [auto.home:gems.rb] was not found in cache Any ideas what could be causing this? Happy to provide sanitised config if required. Cheers, John -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake

3 years

1
1
0 / 0

sssd ad_access_filter with nested groups

by Personne

Hello, I've been using sssd for quite a while now without issue, but today I'm having that problem My IDP is Active Directory, I'm having a "user1" member of a "group1", and that "group1" is member of multiple groups, on of them is called "access_server1" I'm trying to apply ad_access_filter with nested group, and therefore require to recurse the groups I have tried: ad_access_filter = memberOf=cn=access_server1,cn=Users,dc=glop,dc=com but it does not work because of this https://confluence.atlassian.com/crowdkb/active-directory-user-filter-doe... Then I tried to apply what is in this article and my LDAP filter is: ad_access_filter = (memberOf:1.2.840.113556.1.4.1941:=cn=access_server1 ,cn=Users,dc=glop,dc=com) But it still does not work I got this beautiful error message in the sssd log file (Tue May 19 00:07:55 2020) [sssd[be[glop.com]]] [parse_filter] (0x0020): Keyword in filter [(memberOf:1.2.840.113556.1.4.1941:=CN=access_server1,CN=Users,DC=glop,DC=com)] *did not match expected format* (Tue May 19 00:07:55 2020) [sssd[be[glop.com]]] [ad_parse_access_filter] (0x0080): Access filter [(memberOf:1.2.840.113556.1.4.1941:=CN=access_server1,CN=Users,DC=glop,DC=com)] *could not be parsed, skipping* (Tue May 19 00:07:55 2020) [sssd[be[glop.com]]] [sdap_access_send] (0x0400): Performing access check for user [user1(a)glop.com] Thanks for your help

3 years

3
2
0 / 0

use certificates to bind to the LDAP server

by Mario G

Hello we would like to not have encrypted or hashed passwords (which can be easily reverse-engineered ) in the sssd.conf config file we would like to bind to the ldap using client certificates as it is suggested in the sss_obfuscated man page shipped with sssd-tools package but I do not find any referenced to replace the ldap_default_authtok setting by a certificate authentication? is that done with pam-ldap? or how it can be achieved. I do not find any documentation. we really do not like to have the cleartext password in a config file is this possible with sssd ? regards

3 years

2
1
0 / 0

The SSSD and sIDHistory

by Lawrence Kearney

Hello! A question, is it possible now, or would there be value in developing the ability, for the daemon to use the siDHistory attribute when id-mapping is used for users and groups that are migrated to new domains? If I assume correctly, normally there would not be a need for this because in direct integration mode id-mapping is constrained by the domain, so the object SID is the object SID. However, if you are migrating users to a new domain(s) (as the result of organisational changes or upgrades for example) it would be very useful if a specific value in the sIDHistory attribute could be referenced for id-mapping so POSIX file systems or other data relationships tied to UID/GID enumerations if they exist were not negatively impacted. And again, if I understand correctly indirect integration modes do not solve this potential issue if the target users reside in domains trusted by the IPA domain. Suggestions or feedback if I misunderstand, and if I do understand correctly is there a possibility of developing a solution for this use case? Many thanks as always, -- lawrence

3 years

3
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users May 2020