sssd-users May 2020

sssd-users@lists.fedorahosted.org

18 participants
21 discussions

The SSSD and sIDHistory
by Lawrence Kearney 20 May '20

20 May '20

Hello! A question, is it possible now, or would there be value in developing the ability, for the daemon to use the siDHistory attribute when id-mapping is used for users and groups that are migrated to new domains? If I assume correctly, normally there would not be a need for this because in direct integration mode id-mapping is constrained by the domain, so the object SID is the object SID. However, if you are migrating users to a new domain(s) (as the result of organisational changes or upgrades for example) it would be very useful if a specific value in the sIDHistory attribute could be referenced for id-mapping so POSIX file systems or other data relationships tied to UID/GID enumerations if they exist were not negatively impacted. And again, if I understand correctly indirect integration modes do not solve this potential issue if the target users reside in domains trusted by the IPA domain. Suggestions or feedback if I misunderstand, and if I do understand correctly is there a possibility of developing a solution for this use case? Many thanks as always, -- lawrence

3 3

Re: ldap_access_filter ignored for some users
by Jakub Hrozek 19 May '20

19 May '20

On Mon, May 18, 2020 at 03:53:15PM +0000, Sajesh Singh wrote: > If there were no PAM requests then what could be triggering SSSD to do the lookup that I see in the logs? > > -Sajesh- Oh, sorry, you're right, there is pam_print_data also in the second snippet. What log level was this gathered with? The pam responder logs would be useful either way.

2 1

Announcing SSSD 2.3.0
by Pavel Březina 19 May '20

19 May '20

# SSSD 2.3.0 The SSSD team is proud to announce the release of version 2.3.0 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/sssd-2_3_0 See the full release notes at: https://sssd.github.io/docs/users/relnotes/notes_2_3_0 RPM packages will be made available for Fedora shortly. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users ## Highlights ### New features - SSSD can now handle `hosts` and `networks` nsswitch databases (see `resolve_provider` option) - By default, authentication request only refresh user's initgroups if it is expired or there is not active user's session (see `pam_initgroups_scheme` option) - OpenSSL is used as default crypto provider, NSS is deprecated - Active Directory provider now defaults to GSS-SPNEGO SASL mechanism (see `ldap_sasl_mech` option) - Active Directory provider can now be configured to use only `ldaps` port (see `ad_use_ldaps` option) - SSSD now accepts host entries from GPO's security filter - Format of debug messages has changed to be shorter and better sortable - New debug level (`0x10000`) was added for low level ldb messages only (see `sssd.conf` man page) ### Packaging changes - New configure option `--enable-gss-spnego-for-zero-maxssf` ### Documentation Changes - Default value of `ldap_sasl_mech` has changed to `GSS-SPNEGO` for AD provider - Return code of `pam_sss.so` are documented in `pam_sss` manpage - Added option `ad_update_samba_machine_account_password` - Added option `ad_use_ldaps` - Added option `ldap_iphost_object_class` - Added option `ldap_iphost_name` - Added option `ldap_iphost_number` - Added option `ldap_ipnetwork_object_class` - Added option `ldap_ipnetwork_name` - Added option `ldap_ipnetwork_number` - Added option `ldap_iphost_search_base` - Added option `ldap_ipnetwork_search_base` - Added option `ldap_connection_expire_offset` - Added option `ldap_sasl_maxssf` - Added option `pam_initgroups_scheme` - Added option `entry_cache_resolver_timeout` - Added option `entry_cache_computer_timeout` - Added option `resolver_provider` - Added option `proxy_resolver_lib_name` - Minor text improvements

3 3

using smartcard auth with sssd and kerberos
by Gunnar Hilling 19 May '20

19 May '20

Hi! I'm trying to set up smart card authentication using sssd with user's info stored in active directory. The setup is already working but the authentication is only locally. As I understand it should be possible to acquire a kerberos ticket during authentication? Is there a working example for such a setup? I found https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_authentication_pki… but I'm not really sure how krb5.conf should actually be configured... Kind regards, Gunnar

2 1

sssd not able to see global AD groups in trusted domains -- expected behavior?
by Spike White 19 May '20

19 May '20

All, For RHEL7 and RHEL8 sssd, it can see domain-local AD groups (from the local domain) + global groups (from the local domain) + universal groups (from all trusted domains). Yet it cannot see global groups from non-local trusted domains. We have those team convert the group to universal groups and problem solved. (don't use many global groups anyway), Is this expected behaviour? in the /etc/sssd/sssd.conf file, the local domain is defined and then the other trusted domains are auto-discovered. so that it's searching the GC to find universal group memberships. I mention the trusted domains in "domain_resolution_order". Like I say -- this is not a big problem. We rarely use global groups anyway. Just curious if this is expected behaviour. Spike

2 1

Re: ldap_access_filter ignored for some users
by Jakub Hrozek 18 May '20

18 May '20

On Mon, May 18, 2020 at 01:29:49PM +0000, Sajesh Singh wrote: > Jakub, > Both of the logins were via a web application that uses the underlying PAM subsystem on the server. Then you should look into the pam responder logs, too, because the back end logs show no PAM request.

2 1

Re: ldap_access_filter ignored for some users
by Jakub Hrozek 18 May '20

18 May '20

On Fri, May 15, 2020 at 05:07:30PM +0000, Sajesh Singh wrote: > CentOS 7.8 > SSSD 1.16.4 > > Having a strange issue where the ldap_access_filter seems to be applied to some users and not others when they are both logging into the same application that is using the underlying OS PAM configuration. Below are the excerpts from the logs: > > USERA log entires: > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][name=USERAadmin@default] > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=USERAadmin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERAadmin > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group USERAadmin@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group USERAadmin@default > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:2::default:name=USERAadmin@default] from reply table > (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=ObjectClassA)(objectClass=ObjectClassB)(AttributeA=TRUE)(|(AttributeB=ServiceC)(AttributeC=ServiceA)(AttributeC=ServiceB)))][uid=USERA,ou=OUA,ou=OUB,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > (Fri May 15 12:50:02 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default > > > USERB log entries: > > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default] > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default] > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default] > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default] > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default] > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default > (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu > (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group emu@default > (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group emu@default > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default] > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. > (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. > > As you can see from the 2 log excerpts USERB never has the ldap_access_filter check applied while it is done for USERA. Has anyone encounted this before? There is no login attempt here, how did USERB log? Was it su from root by any chance?

2 1

ldap_access_filter ignored for some users
by Sajesh Singh 15 May '20

15 May '20

CentOS 7.8 SSSD 1.16.4 Having a strange issue where the ldap_access_filter seems to be applied to some users and not others when they are both logging into the same application that is using the underlying OS PAM configuration. Below are the excerpts from the logs: USERA log entires: (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][name=USERAadmin@default] (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=USERAadmin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERAadmin (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group USERAadmin@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group USERAadmin@default (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:2::default:name=USERAadmin@default] from reply table (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default] (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default]. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default]. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table (Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default] (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default] (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=ObjectClassA)(objectClass=ObjectClassB)(AttributeA=TRUE)(|(AttributeB=ServiceC)(AttributeC=ServiceA)(AttributeC=ServiceB)))][uid=USERA,ou=OUA,ou=OUB,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default (Fri May 15 12:50:02 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default USERB log entries: (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default] (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default] (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default] (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default] (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default] (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs. (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group emu@default (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group emu@default (Fri May 15 10:40:53 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default] (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX]. (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default]. (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default]. As you can see from the 2 log excerpts USERB never has the ldap_access_filter check applied while it is done for USERA. Has anyone encounted this before? Thank you, Sajesh

1 0

sssd behavior when most AD controllers blocked?
by Spike White 11 May '20

11 May '20

All, sssd migration has been working very well for us -- except in the DMZs and heavily-restricted firewalled network segments. For those network segments, the AD site is the same as the equivalent corporate location. So the typical DNS SRV record lookup reports a wealth of AD controllers -- most of which are blocked. (not LDAPS traffic allowed). A couple of AD DCs are in the DMZ, etc. The old commercial product appears to CLDAP ping every single AD controller it finds (via DNS SRV lookup). And when one responds, it queries that DC to get site, preferred DCs, etc. So the commercial product work, even in the face of most AD DCs blocked. adcli join and sssd appears to CLDAP ping only 4-5 AD DCs. If they don't get a response back, you get an error. If it's lucky enough to CLDAP ping an unblocked AD DC -- life is good, otherwise not so much. Is there an option in adcli join and the sssd startup to CLDAP ping all DCs? Like the commercial product's behaviour? Obviously, I could hard-code the KDCs in /etc/krb5.conf. But there's multiple downsides to that: 1. AD team switches out DCs w/o notice. 2. Hard to programmatically script out for new builds, as the list of DCs would vary according to each firewalled-off segment. Spike

3 3

The SSSD and sIDHistory
by Lawrence Kearney 11 May '20

11 May '20

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users May 2020