May 2020 - sssd-users - Fedora Mailing-Lists

Re: ldap_access_filter ignored for some users

by Jakub Hrozek

On Mon, May 18, 2020 at 03:53:15PM +0000, Sajesh Singh wrote: > If there were no PAM requests then what could be triggering SSSD to do the lookup that I see in the logs? > > -Sajesh- Oh, sorry, you're right, there is pam_print_data also in the second snippet. What log level was this gathered with? The pam responder logs would be useful either way.

3 years, 11 months

2
1
0 / 0

Announcing SSSD 2.3.0

by Pavel Březina

# SSSD 2.3.0 The SSSD team is proud to announce the release of version 2.3.0 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/sssd-2_3_0 See the full release notes at: https://sssd.github.io/docs/users/relnotes/notes_2_3_0 RPM packages will be made available for Fedora shortly. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users ## Highlights ### New features - SSSD can now handle `hosts` and `networks` nsswitch databases (see `resolve_provider` option) - By default, authentication request only refresh user's initgroups if it is expired or there is not active user's session (see `pam_initgroups_scheme` option) - OpenSSL is used as default crypto provider, NSS is deprecated - Active Directory provider now defaults to GSS-SPNEGO SASL mechanism (see `ldap_sasl_mech` option) - Active Directory provider can now be configured to use only `ldaps` port (see `ad_use_ldaps` option) - SSSD now accepts host entries from GPO's security filter - Format of debug messages has changed to be shorter and better sortable - New debug level (`0x10000`) was added for low level ldb messages only (see `sssd.conf` man page) ### Packaging changes - New configure option `--enable-gss-spnego-for-zero-maxssf` ### Documentation Changes - Default value of `ldap_sasl_mech` has changed to `GSS-SPNEGO` for AD provider - Return code of `pam_sss.so` are documented in `pam_sss` manpage - Added option `ad_update_samba_machine_account_password` - Added option `ad_use_ldaps` - Added option `ldap_iphost_object_class` - Added option `ldap_iphost_name` - Added option `ldap_iphost_number` - Added option `ldap_ipnetwork_object_class` - Added option `ldap_ipnetwork_name` - Added option `ldap_ipnetwork_number` - Added option `ldap_iphost_search_base` - Added option `ldap_ipnetwork_search_base` - Added option `ldap_connection_expire_offset` - Added option `ldap_sasl_maxssf` - Added option `pam_initgroups_scheme` - Added option `entry_cache_resolver_timeout` - Added option `entry_cache_computer_timeout` - Added option `resolver_provider` - Added option `proxy_resolver_lib_name` - Minor text improvements

3 years, 11 months

3
3
0 / 0

using smartcard auth with sssd and kerberos

by Gunnar Hilling

Hi! I'm trying to set up smart card authentication using sssd with user's info stored in active directory. The setup is already working but the authentication is only locally. As I understand it should be possible to acquire a kerberos ticket during authentication? Is there a working example for such a setup? I found https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_authentication_p... but I'm not really sure how krb5.conf should actually be configured... Kind regards, Gunnar

3 years, 11 months

2
1
0 / 0

sssd not able to see global AD groups in trusted domains -- expected behavior?

by Spike White

All, For RHEL7 and RHEL8 sssd, it can see domain-local AD groups (from the local domain) + global groups (from the local domain) + universal groups (from all trusted domains). Yet it cannot see global groups from non-local trusted domains. We have those team convert the group to universal groups and problem solved. (don't use many global groups anyway), Is this expected behaviour? in the /etc/sssd/sssd.conf file, the local domain is defined and then the other trusted domains are auto-discovered. so that it's searching the GC to find universal group memberships. I mention the trusted domains in "domain_resolution_order". Like I say -- this is not a big problem. We rarely use global groups anyway. Just curious if this is expected behaviour. Spike

3 years, 11 months

2
1
0 / 0

Re: ldap_access_filter ignored for some users

by Jakub Hrozek

On Mon, May 18, 2020 at 01:29:49PM +0000, Sajesh Singh wrote: > Jakub, > Both of the logins were via a web application that uses the underlying PAM subsystem on the server. Then you should look into the pam responder logs, too, because the back end logs show no PAM request.

3 years, 11 months

2
1
0 / 0

Re: ldap_access_filter ignored for some users

by Jakub Hrozek

On Fri, May 15, 2020 at 05:07:30PM +0000, Sajesh Singh wrote: > CentOS 7.8 > SSSD 1.16.4 > > Having a strange issue where the ldap_access_filter seems to be applied to some users and not others when they are both logging into the same application that is using the underlying OS PAM configuration. Below are the excerpts from the logs: > > USERA log entires: > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][name=USERAadmin@default] > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=USERAadmin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERAadmin > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group USERAadmin@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group USERAadmin@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:2::default:name=USERAadmin@default] from reply table > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=ObjectClassA)(objectClass=ObjectClassB)(AttributeA=TRUE)(|(AttributeB=ServiceC)(AttributeC=ServiceA)(AttributeC=ServiceB)))][uid=USERA,ou=OUA,ou=OUB,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:50:02 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > > > USERB log entries: > > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default] > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default] > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default] > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default] > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default] > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu > (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group emu@default > (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group emu@default > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default] > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. > > As you can see from the 2 log excerpts USERB never has the ldap_access_filter check applied while it is done for USERA. Has anyone encounted this before? There is no login attempt here, how did USERB log? Was it su from root by any chance?

3 years, 11 months

2
1
0 / 0

ldap_access_filter ignored for some users

by Sajesh Singh

CentOS 7.8 SSSD 1.16.4 Having a strange issue where the ldap_access_filter seems to be applied to some users and not others when they are both logging into the same application that is using the underlying OS PAM configuration. Below are the excerpts from the logs: USERA log entires: (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][name=USERAadmin@default] (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=USERAadmin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERAadmin (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group USERAadmin@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group USERAadmin@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:2::default:name=USERAadmin@default] from reply table (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table (Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=ObjectClassA)(objectClass=ObjectClassB)(AttributeA=TRUE)(|(AttributeB=ServiceC)(AttributeC=ServiceA)(AttributeC=ServiceB)))][uid=USERA,ou=OUA,ou=OUB,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:50:02 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default USERB log entries: (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default] (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default] (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default] (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default] (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default] (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group emu@default (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group emu@default (Fri May 15 10:40:53 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default] (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. As you can see from the 2 log excerpts USERB never has the ldap_access_filter check applied while it is done for USERA. Has anyone encounted this before? Thank you, Sajesh

3 years, 11 months

1
0
0 / 0

sssd behavior when most AD controllers blocked?

by Spike White

All, sssd migration has been working very well for us -- except in the DMZs and heavily-restricted firewalled network segments. For those network segments, the AD site is the same as the equivalent corporate location. So the typical DNS SRV record lookup reports a wealth of AD controllers -- most of which are blocked. (not LDAPS traffic allowed). A couple of AD DCs are in the DMZ, etc. The old commercial product appears to CLDAP ping every single AD controller it finds (via DNS SRV lookup). And when one responds, it queries that DC to get site, preferred DCs, etc. So the commercial product work, even in the face of most AD DCs blocked. adcli join and sssd appears to CLDAP ping only 4-5 AD DCs. If they don't get a response back, you get an error. If it's lucky enough to CLDAP ping an unblocked AD DC -- life is good, otherwise not so much. Is there an option in adcli join and the sssd startup to CLDAP ping all DCs? Like the commercial product's behaviour? Obviously, I could hard-code the KDCs in /etc/krb5.conf. But there's multiple downsides to that: 1. AD team switches out DCs w/o notice. 2. Hard to programmatically script out for new builds, as the list of DCs would vary according to each firewalled-off segment. Spike

3 years, 11 months

3
3
0 / 0

The SSSD and sIDHistory

by Lawrence Kearney

Hello! A question, is it possible now, or would there be value in developing the ability, for the daemon to use the siDHistory attribute when id-mapping is used for users and groups that are migrated to new domains? If I assume correctly, normally there would not be a need for this because in direct integration mode id-mapping is constrained by the domain, so the object SID is the object SID. However, if you are migrating users to a new domain(s) (as the result of organisational changes or upgrades for example) it would be very useful if a specific value in the sIDHistory attribute could be referenced for id-mapping so POSIX file systems or other data relationships tied to UID/GID enumerations if they exist were not negatively impacted. And again, if I understand correctly indirect integration modes do not solve this potential issue if the target users reside in domains trusted by the IPA domain. Suggestions or feedback if I misunderstand, and if I do understand correctly is there a possibility of developing a solution for this use case? Many thanks as always, -- lawrence

3 years, 11 months

1
0
0 / 0

On CentOS v 8.1, Unable to join MS Windows Active Directory Domain running MS Windows 2003

by Daniel Adeniji

Error Message states "KDC has no support for encryption type". Write Up Here https://docs.google.com/document/d/102UCuMB5IkiPb15468EcWN8-h-t6PfRe1rq6Q... Thanks, Daniel Adeniji ========================================================================================= Linux - Security - Active Directory Purpose Trying to connect a CentOS Linux box to a Microsoft Windows Active Directory Domain. Specification Linux Version uname >uname -r 4.18.0-147.5.1.el8_1.x86_64 lsb_release >sudo lsb_release -d Description: CentOS Linux release 8.1.1911 (Core) Microsoft OS Version MS Windows 2003 TroubleShooting kinit Syntax Kinit -V {username}@{domain} Sample KRB5_TRACE=/dev/stdout kinit -V dadeniji(a)EPHRAIMTECH.com Output >KRB5_TRACE=/dev/stdout kinit -V dadeniji(a)EPHRAIMTECH.com. Using default cache: 1000 Using principal: dadeniji(a)EPHRAIMTECH.com. [2448] 1588503907.189313: Getting initial credentials for dadeniji(a)EPHRAIMTECH.com. [2448] 1588503907.189315: Sending unauthenticated request [2448] 1588503907.189316: Sending request (224 bytes) to EPHRAIMTECH.com. [2448] 1588503907.189317: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189318: No URI records found [2448] 1588503907.189319: Sending DNS SRV query for _kerberos._udp.EPHRAIMTECH.com. [2448] 1588503907.189320: SRV answer: 0 100 88 "harvest.ephraimtech.com." [2448] 1588503907.189321: Sending DNS SRV query for _kerberos._tcp.EPHRAIMTECH.com. [2448] 1588503907.189322: SRV answer: 0 100 88 "harvest.ephraimtech.com." [2448] 1588503907.189323: Resolving hostname harvest.ephraimtech.com. [2448] 1588503907.189324: Sending initial UDP request to dgram 10.0.4.6:88 [2448] 1588503907.189325: Received answer (104 bytes) from dgram 10.0.4.6:88 [2448] 1588503907.189326: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189327: No URI records found [2448] 1588503907.189328: Sending DNS SRV query for _kerberos-master._udp.EPHRAIMTECH.com. [2448] 1588503907.189329: No SRV records found [2448] 1588503907.189330: Response was not from master KDC [2448] 1588503907.189331: Received error from KDC: -1765328370/KDC has no support for encryption type [2448] 1588503907.189332: Retrying AS request with master KDC [2448] 1588503907.189333: Getting initial credentials for dadeniji(a)EPHRAIMTECH.com. [2448] 1588503907.189335: Sending unauthenticated request [2448] 1588503907.189336: Sending request (224 bytes) to EPHRAIMTECH.com. (master) [2448] 1588503907.189337: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189338: No URI records found [2448] 1588503907.189339: Sending DNS SRV query for _kerberos-master._udp.EPHRAIMTECH.com. [2448] 1588503907.189340: Sending DNS SRV query for _kerberos-master._tcp.EPHRAIMTECH.com. [2448] 1588503907.189341: No SRV records found kinit: KDC has no support for encryption type while getting initial credentials Error Error Message kinit: KDC has no support for encryption type while getting initial credentials adcli Syntax Adcli join {domain-name} -U {username} -v Sample Adcli join ephraimtech.com -U dadeniji -v Output >sudo adcli join ephraimtech.com -U dadeniji -v * Using domain name: ephraimtech.com * Calculated computer account name from fqdn: ADRIEL * Calculated domain realm from name: EPHRAIMTECH.COM * Discovering domain controllers: _ldap._tcp.ephraimtech.com * Sending netlogon pings to domain controller: cldap://10.0.4.6 * Received NetLogon info from: harvest.ephraimtech.com * Wrote out krb5.conf snippet to /tmp/adcli-krb5-vHcn5L/krb5.d/adcli-krb5-conf-G0KCpp Password for dadeniji(a)EPHRAIMTECH.COM: ! Couldn't authenticate as: dadeniji(a)EPHRAIMTECH.COM: KDC has no support for encryption type adcli: couldn't connect to ephraimtech.com domain: Couldn't authenticate as: dadeniji(a)EPHRAIMTECH.COM: KDC has no support for encryption type Configuration /etc/krb5.config # To opt out of the system crypto-policies configuration of krb5, remove the # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. includedir /etc/krb5.conf.d/ # Temporarily enable logging debug_level=10 [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_ccache_name = KEYRING:persistent:%{uid} default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 defaukt_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 allow_weak_crypto = true dns_lookup_kdc = true [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM ~

3 years, 11 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users May 2020