Re: ldap_access_filter ignored for some users
by Jakub Hrozek
On Mon, May 18, 2020 at 03:53:15PM +0000, Sajesh Singh wrote:
> If there were no PAM requests then what could be triggering SSSD to do the lookup that I see in the logs?
>
> -Sajesh-
Oh, sorry, you're right, there is pam_print_data also in the second
snippet. What log level was this gathered with? The pam responder logs
would be useful either way.
3 years, 11 months
Announcing SSSD 2.3.0
by Pavel Březina
# SSSD 2.3.0
The SSSD team is proud to announce the release of version 2.3.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/sssd-2_3_0
See the full release notes at:
https://sssd.github.io/docs/users/relnotes/notes_2_3_0
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### New features
- SSSD can now handle `hosts` and `networks` nsswitch databases (see
`resolve_provider` option)
- By default, authentication request only refresh user's initgroups if
it is expired or there is not active user's session (see
`pam_initgroups_scheme` option)
- OpenSSL is used as default crypto provider, NSS is deprecated
- Active Directory provider now defaults to GSS-SPNEGO SASL mechanism
(see `ldap_sasl_mech` option)
- Active Directory provider can now be configured to use only `ldaps`
port (see `ad_use_ldaps` option)
- SSSD now accepts host entries from GPO's security filter
- Format of debug messages has changed to be shorter and better sortable
- New debug level (`0x10000`) was added for low level ldb messages only
(see `sssd.conf` man page)
### Packaging changes
- New configure option `--enable-gss-spnego-for-zero-maxssf`
### Documentation Changes
- Default value of `ldap_sasl_mech` has changed to `GSS-SPNEGO` for AD
provider
- Return code of `pam_sss.so` are documented in `pam_sss` manpage
- Added option `ad_update_samba_machine_account_password`
- Added option `ad_use_ldaps`
- Added option `ldap_iphost_object_class`
- Added option `ldap_iphost_name`
- Added option `ldap_iphost_number`
- Added option `ldap_ipnetwork_object_class`
- Added option `ldap_ipnetwork_name`
- Added option `ldap_ipnetwork_number`
- Added option `ldap_iphost_search_base`
- Added option `ldap_ipnetwork_search_base`
- Added option `ldap_connection_expire_offset`
- Added option `ldap_sasl_maxssf`
- Added option `pam_initgroups_scheme`
- Added option `entry_cache_resolver_timeout`
- Added option `entry_cache_computer_timeout`
- Added option `resolver_provider`
- Added option `proxy_resolver_lib_name`
- Minor text improvements
3 years, 11 months
sssd not able to see global AD groups in trusted domains -- expected behavior?
by Spike White
All,
For RHEL7 and RHEL8 sssd, it can see domain-local AD groups (from the local
domain) + global groups (from the local domain) + universal groups (from
all trusted domains).
Yet it cannot see global groups from non-local trusted domains. We have
those team convert the group to universal groups and problem solved.
(don't use many global groups anyway),
Is this expected behaviour?
in the /etc/sssd/sssd.conf file, the local domain is defined and then the
other trusted domains are auto-discovered. so that it's searching the GC
to find universal group memberships. I mention the trusted domains in
"domain_resolution_order".
Like I say -- this is not a big problem. We rarely use global groups
anyway. Just curious if this is expected behaviour.
Spike
3 years, 11 months
Re: ldap_access_filter ignored for some users
by Jakub Hrozek
On Mon, May 18, 2020 at 01:29:49PM +0000, Sajesh Singh wrote:
> Jakub,
> Both of the logins were via a web application that uses the underlying PAM subsystem on the server.
Then you should look into the pam responder logs, too, because the back
end logs show no PAM request.
3 years, 11 months
Re: ldap_access_filter ignored for some users
by Jakub Hrozek
On Fri, May 15, 2020 at 05:07:30PM +0000, Sajesh Singh wrote:
> CentOS 7.8
> SSSD 1.16.4
>
> Having a strange issue where the ldap_access_filter seems to be applied to some users and not others when they are both logging into the same application that is using the underlying OS PAM configuration. Below are the excerpts from the logs:
>
> USERA log entires:
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default].
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default].
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default]
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default]
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][name=USERAadmin@default]
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=USERAadmin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERAadmin
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group USERAadmin@default
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group USERAadmin@default
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:2::default:name=USERAadmin@default] from reply table
> (Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default]
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default].
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default].
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default]
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default]
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
> (Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default]
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default].
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default].
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default]
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default]
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
> (Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default]
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default].
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default].
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default]
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default]
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=ObjectClassA)(objectClass=ObjectClassB)(AttributeA=TRUE)(|(AttributeB=ServiceC)(AttributeC=ServiceA)(AttributeC=ServiceB)))][uid=USERA,ou=OUA,ou=OUB,dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
> (Fri May 15 12:50:02 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
>
>
> USERB log entries:
>
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default].
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default].
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default]
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default]
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
> (Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default]
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default].
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default].
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default]
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default]
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
> (Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
> (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu
> (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group emu@default
> (Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group emu@default
> (Fri May 15 10:40:53 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default]
> (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
> (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu
> (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default
> (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default].
> (Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default].
>
> As you can see from the 2 log excerpts USERB never has the ldap_access_filter check applied while it is done for USERA. Has anyone encounted this before?
There is no login attempt here, how did USERB log? Was it su from root
by any chance?
3 years, 11 months
ldap_access_filter ignored for some users
by Sajesh Singh
CentOS 7.8
SSSD 1.16.4
Having a strange issue where the ldap_access_filter seems to be applied to some users and not others when they are both logging into the same application that is using the underlying OS PAM configuration. Below are the excerpts from the logs:
USERA log entires:
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default].
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default].
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default]
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default]
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][name=USERAadmin@default]
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=USERAadmin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERAadmin
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group USERAadmin@default
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group USERAadmin@default
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:2::default:name=USERAadmin@default] from reply table
(Fri May 15 12:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default]
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default].
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default].
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default]
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default]
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
(Fri May 15 12:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default]
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default].
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default].
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default]
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default]
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=USERA)(allowedService=USERAAdmin)))][uid=USERA,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
(Fri May 15 12:45:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=USERA@default]
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object USERA
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user USERA@default
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [USERA@default].
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [USERA@default].
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user USERA@default
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=USERA)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=USERA@default] from reply table
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [USERA@default]
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [USERA@default]
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=USERA)(objectclass=ObjectClassA)(objectClass=ObjectClassB)(AttributeA=TRUE)(|(AttributeB=ServiceC)(AttributeC=ServiceA)(AttributeC=ServiceB)))][uid=USERA,ou=OUA,ou=OUB,dc=DOMAIN,dc=SUFFIX].
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=USERA@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 12:50:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
(Fri May 15 12:50:02 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: USERA@default
USERB log entries:
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default].
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default].
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default]
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default]
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX].
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
(Fri May 15 10:35:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default]
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default].
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default].
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user emu@default
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=emu)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::default:name=emu@default] from reply table
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [emu@default]
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [emu@default]
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(objectClass=posixAccount)(accountActive=TRUE)(|(allowedService=unixAdmin)(allowedService=EMU)(allowedService=EMUAdmin)))][uid=emu,ou=posixAccounts,ou=Apps,dc=DOMAIN,dc=SUFFIX].
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [sysdb_set_entry_attr] (0x0200): Entry [name=emu@default,cn=users,cn=default,cn=sysdb] has set [ts_cache] attrs.
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
(Fri May 15 10:40:01 2020) [sssd[be[default]]] [pam_print_data] (0x0100): user: emu@default
(Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu
(Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Processing group emu@default
(Fri May 15 10:40:10 2020) [sssd[be[default]]] [sdap_save_group] (0x0400): Storing info for group emu@default
(Fri May 15 10:40:53 2020) [sssd[be[default]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=emu@default]
(Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=emu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=DOMAIN,dc=SUFFIX].
(Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object emu
(Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user emu@default
(Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): Original memberOf is not available for [emu@default].
(Fri May 15 10:40:53 2020) [sssd[be[default]]] [sdap_save_user] (0x0400): User principal is not available for [emu@default].
As you can see from the 2 log excerpts USERB never has the ldap_access_filter check applied while it is done for USERA. Has anyone encounted this before?
Thank you,
Sajesh
3 years, 11 months
sssd behavior when most AD controllers blocked?
by Spike White
All,
sssd migration has been working very well for us -- except in the DMZs and
heavily-restricted firewalled network segments.
For those network segments, the AD site is the same as the equivalent
corporate location. So the typical DNS SRV record lookup reports a wealth
of AD controllers -- most of which are blocked. (not LDAPS traffic
allowed).
A couple of AD DCs are in the DMZ, etc.
The old commercial product appears to CLDAP ping every single AD controller
it finds (via DNS SRV lookup). And when one responds, it queries that DC
to get site, preferred DCs, etc. So the commercial product work, even in
the face of most AD DCs blocked.
adcli join and sssd appears to CLDAP ping only 4-5 AD DCs. If they don't
get a response back, you get an error. If it's lucky enough to CLDAP ping
an unblocked AD DC -- life is good, otherwise not so much.
Is there an option in adcli join and the sssd startup to CLDAP ping all
DCs? Like the commercial product's behaviour?
Obviously, I could hard-code the KDCs in /etc/krb5.conf. But there's
multiple downsides to that:
1. AD team switches out DCs w/o notice.
2. Hard to programmatically script out for new builds, as the list of
DCs would vary according to each firewalled-off segment.
Spike
3 years, 11 months
The SSSD and sIDHistory
by Lawrence Kearney
Hello! A question, is it possible now, or would there be value in
developing the ability, for the daemon to use the siDHistory attribute when
id-mapping is used for users and groups that are migrated to new domains?
If I assume correctly, normally there would not be a need for this because
in direct integration mode id-mapping is constrained by the domain, so the
object SID is the object SID. However, if you are migrating users to a new
domain(s) (as the result of organisational changes or upgrades for example)
it would be very useful if a specific value in the sIDHistory attribute
could be referenced for id-mapping so POSIX file systems or other data
relationships tied to UID/GID enumerations if they exist were not
negatively impacted.
And again, if I understand correctly indirect integration modes do not
solve this potential issue if the target users reside in domains trusted by
the IPA domain.
Suggestions or feedback if I misunderstand, and if I do understand
correctly is there a possibility of developing a solution for this use case?
Many thanks as always,
-- lawrence
3 years, 11 months
On CentOS v 8.1, Unable to join MS Windows Active Directory Domain running MS Windows 2003
by Daniel Adeniji
Error Message states "KDC has no support for encryption type".
Write Up Here
https://docs.google.com/document/d/102UCuMB5IkiPb15468EcWN8-h-t6PfRe1rq6Q...
Thanks,
Daniel Adeniji
=========================================================================================
Linux - Security - Active Directory
Purpose
Trying to connect a CentOS Linux box to a Microsoft Windows Active Directory Domain.
Specification
Linux
Version
uname
>uname -r
4.18.0-147.5.1.el8_1.x86_64
lsb_release
>sudo lsb_release -d
Description: CentOS Linux release 8.1.1911 (Core)
Microsoft
OS Version
MS Windows 2003
TroubleShooting
kinit
Syntax
Kinit -V {username}@{domain}
Sample
KRB5_TRACE=/dev/stdout kinit -V dadeniji(a)EPHRAIMTECH.com
Output
>KRB5_TRACE=/dev/stdout kinit -V dadeniji(a)EPHRAIMTECH.com.
Using default cache: 1000
Using principal: dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189313: Getting initial credentials for dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189315: Sending unauthenticated request
[2448] 1588503907.189316: Sending request (224 bytes) to EPHRAIMTECH.com.
[2448] 1588503907.189317: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189318: No URI records found
[2448] 1588503907.189319: Sending DNS SRV query for _kerberos._udp.EPHRAIMTECH.com.
[2448] 1588503907.189320: SRV answer: 0 100 88 "harvest.ephraimtech.com."
[2448] 1588503907.189321: Sending DNS SRV query for _kerberos._tcp.EPHRAIMTECH.com.
[2448] 1588503907.189322: SRV answer: 0 100 88 "harvest.ephraimtech.com."
[2448] 1588503907.189323: Resolving hostname harvest.ephraimtech.com.
[2448] 1588503907.189324: Sending initial UDP request to dgram 10.0.4.6:88
[2448] 1588503907.189325: Received answer (104 bytes) from dgram 10.0.4.6:88
[2448] 1588503907.189326: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189327: No URI records found
[2448] 1588503907.189328: Sending DNS SRV query for _kerberos-master._udp.EPHRAIMTECH.com.
[2448] 1588503907.189329: No SRV records found
[2448] 1588503907.189330: Response was not from master KDC
[2448] 1588503907.189331: Received error from KDC: -1765328370/KDC has no support for encryption type
[2448] 1588503907.189332: Retrying AS request with master KDC
[2448] 1588503907.189333: Getting initial credentials for dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189335: Sending unauthenticated request
[2448] 1588503907.189336: Sending request (224 bytes) to EPHRAIMTECH.com. (master)
[2448] 1588503907.189337: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189338: No URI records found
[2448] 1588503907.189339: Sending DNS SRV query for _kerberos-master._udp.EPHRAIMTECH.com.
[2448] 1588503907.189340: Sending DNS SRV query for _kerberos-master._tcp.EPHRAIMTECH.com.
[2448] 1588503907.189341: No SRV records found
kinit: KDC has no support for encryption type while getting initial credentials
Error
Error Message
kinit: KDC has no support for encryption type while getting initial credentials
adcli
Syntax
Adcli join {domain-name} -U {username} -v
Sample
Adcli join ephraimtech.com -U dadeniji -v
Output
>sudo adcli join ephraimtech.com -U dadeniji -v
* Using domain name: ephraimtech.com
* Calculated computer account name from fqdn: ADRIEL
* Calculated domain realm from name: EPHRAIMTECH.COM
* Discovering domain controllers: _ldap._tcp.ephraimtech.com
* Sending netlogon pings to domain controller: cldap://10.0.4.6
* Received NetLogon info from: harvest.ephraimtech.com
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-vHcn5L/krb5.d/adcli-krb5-conf-G0KCpp
Password for dadeniji(a)EPHRAIMTECH.COM:
! Couldn't authenticate as: dadeniji(a)EPHRAIMTECH.COM: KDC has no support for encryption type
adcli: couldn't connect to ephraimtech.com domain: Couldn't authenticate as: dadeniji(a)EPHRAIMTECH.COM: KDC has no support for encryption type
Configuration
/etc/krb5.config
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
# Temporarily enable logging
debug_level=10
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING:persistent:%{uid}
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
defaukt_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
allow_weak_crypto = true
dns_lookup_kdc = true
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
~
3 years, 11 months