January 2021 - sssd-users - Fedora Mailing-Lists

problem obtaining kerberos ticket with sssd

by mbalembo

Hello, I have trouble obtaining a kerberos ticket when loggin with sssd. in /var/log/sssd/krb5_child.log i get the line : [[sssd[krb5_child[9521]]]] [unpack_buffer] (0x0100): cmd [241] uid [10007] gid [10000] validate [false] enterprise principal [true] offline [false] UPN [USER@MYDOMAIN] My problem is i need to restart the service to switch this to "offline [false]". (Note that authentication works otherwise, it's just the kerberos ticket that is missing). Maybe I missed an option to set the update rate ? Thanks, Marc

1 week, 2 days

3
3
0 / 0

sudo (with sssd) command duration 50ms -> 400ms performance degradation

by Judd Gaddie

Hi, We have noticed a performance regression on some of our boxes when we upgraded from Ubuntu 18.04 (sssd 1.16.1-1ubuntu1.7) (sudo 1.8.21p2) -> Ubuntu 20.04 (sssd 2.2.3-3ubuntu0.1) (sudo 1.8.31) (however it was not universal, some Ubuntu 20.04 boxes are fine) joined to a FreeIPA domain. We have noticed the following line takes a long when turned on sudo debug logging (not sure if this is red hearing) sudo_pam_approval @ ../../../plugins/sudoers/auth/pam.c:330 Any idea what may cause this, or something to try would be much appreciated? see benchmark Ubuntu 18.04 ./hyperfine "sudo -u user true" --warmup 5 Benchmark #1: sudo -u trans true Time (mean ± σ): 51.0 ms ± 24.6 ms [User: 5.7 ms, System: 3.5 ms] Range (min … max): 42.1 ms … 236.7 ms 60 runs Ubuntu 20.04 Benchmark #1: sudo -u user true Time (mean ± σ): 436.0 ms ± 36.1 ms [User: 15.2 ms, System: 14.7 ms] Range (min … max): 407.4 ms … 534.3 ms 10 runs

2 weeks, 3 days

2
3
0 / 0

[[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts

by Rudi Dayan

Hello, I would like to implement smartcard authentication to Microsoft AD with sssd on Ubuntu 20.04 LTS. I am able to login to AD with a password but when I try to use a smartcard, after a minute of timeout the password window pops up and even if I put the correct password, I get the following error : "Authentication failure". When I used kinit using a smartcard with the same user the action succeed and I got TGT. I would appreciate your help on this subject. I have attached the configuration files : krb5.conf ,sssd.conf and the log file : krb5_child.log Thank you, Rudi ##################################### krb5.conf ##################################### [logging] default = FILE:/var/log/krb5libs.log [libdefaults] default_realm = DOMAIN.TEST # dns_lookup_realm = true # dns_lookup_kdc = true ticket_lifetime = 24h # renew_lifetime = 7d # forwardable = true # rdns = false pkinit_kdc_hostname = DC.DOMAIN.TEST # pkinit_allow_upn = true pkinit_anchors = DIR:/etc/rootcas/ pkinit_pool = DIR:/etc/rootcas/ pkinit_identities = PKCS11:/lib/libsadaptor.so default_ccache_name = KEYRING:persistent:%{uid} canonicalize = true # The following krb5.conf variables are only for MIT Kerberos. # kdc_timesync = 1 # ccache_type = 4 # proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } CSAIL.MIT.EDU = { admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } ANDREW.CMU.EDU = { admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos-1.srv.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu kdc = kerberos-3.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA ###################### sssd.conf ###################### [sssd] domains = domain.test config_file_version = 2 services = nss, pam debug_level = 10 [domain/domain.test] debug_level = 10 # ad_domain = domain.test krb5_realm = DOMAIN.TEST realmd_tags = manages-system joined-with-adcli access_provider = ad auth_provider = ad id_provider = ad ldap_id_mapping = True # # cache_credentials = True # krb5_store_password_if_offline = True # use_fully_qualified_names = False default_shell = /bin/bash fallback_homedir = /home/%u@%d [pam] debug_level = 10 pam_cert_auth = True ####################### krb5-child.log ####################### Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): krb5_child started. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x1000): total buffer size: [152] (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x0100): cmd [249] uid [270401103] gid [270400513] validate [true] enterprise principal [true] offline [false] UPN [test_user(a)DOMAIN.TEST] (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:270401103] old_ccname: [KEYRING:persistent:270401103] keytab: [/etc/krb5.keytab] (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [become_user] (0x0200): Trying to become user [270401103][270400513]. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x2000): Running as [270401103][270400513]. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): Will perform pre-auth (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [DOMAIN.TEST] (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874510: Getting initial credentials for test_user\@DOMAIN.TEST(a)DOMAIN.TEST (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874512: Sending unauthenticated request (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874513: Sending request (229 bytes) to DOMAIN.TEST (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874514: Sending initial UDP request to dgram 10.0.0.3:88 (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874515: Received answer (197 bytes) from dgram 10.0.0.3:88 (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874516: Response was from master KDC (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874517: Received error from KDC: -1765328359/Additional pre-authentication required (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874520: Preauthenticating using KDC method data (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874521: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874522: Selected etype info: etype aes256-cts, salt "DOMAIN.TESTtest_user", params "" (Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/lib/libsadaptor.so:slotid=2:token=Crypto Token] flags [0]. (Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Crypto Token PIN]. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291326: PKINIT client has no configured identity; giving up (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291327: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291328: PKINIT client ignoring draft 9 offer from RFC 4556 KDC (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291329: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for test_user\@DOMAIN.TEST(a)DOMAIN.TEST]. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291330: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_get_init_creds_password] (0x0020): 1627: [-1765328174][Pre-authentication failed: Preauthentication failed] (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [k5c_send_data] (0x0200): Received error code 0 (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [pack_response_packet] (0x2000): response packet size: [12] (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [k5c_send_data] (0x4000): Response sent. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): krb5_child completed successfully

4 weeks, 1 day

2
4
0 / 0

Ubuntu and self-signed server certificate

by Todor Petkov

Hello, I am trying to configure SSSD on Ubuntu 20.04 against 389-DS server with self-signed certificate. Upon starting sssd, I get this message in /var/log/syslog : Could not start TLS encryption. Key usage violation in certificate has been detected I tried adding the following lines in the domain section of sssd.conf, but to no avail: certificate_verification = no_verification ldap_tls_reqcert = allow Can someone advise, how can I turn certificate check off? SSSD version is 2.2.3-3ubuntu0.2 Thanks in advance

1 month

3
3
0 / 0

HBAC refresh timeout / grace period

by Judd Gaddie

Hi, how can I change/configure the HBAC refresh timeout ? Stephen Gallagher mentioned it here https://pagure.io/SSSD/sssd/issue/1047 It appears that the default value may have changed from 1 minutes to 1 second in a newer release.

1 month

2
1
0 / 0

ldap_use_tokengroups=False is not returning correct results

by Sanjay Agrawal

We are noticing that with ldap_use_tokengroups=False is not returning same results as with tokengroups. We think, it is due to two issues show below. Can you please confirm if they are a known issues. Thanks, Issue 1: It is not checking nested membership of gidNumber group, so missing group "group1498" from the list $ ldapsearch -Q -h ad_server -LLL -b 'CN=user3901,OU=Service Accounts,DC=mydomain,DC=com' -s base 'objectclass=*' | grep -E "primaryGroupID|gidNumber|memberOf" memberOf: CN=group548,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1414,OU=Groups,DC=mydomain,DC=com primaryGroupID: 513 gidNumber: 32771 $ ldapsearch -Q -h ad_server -LLL -b 'OU=Groups,DC=mydomain,DC=com' '(msSFU30Name=group1191)' | grep -E "gidNumber|memberOf" memberOf: CN=group1498,CN=Builtin,DC=mydomain,DC=com gidNumber: 32771 testhost4:0# tail -1 /etc/sssd/sssd.conf ldap_use_tokengroups = False testhost4:0# groups user3901 user3901 : group1191 group548 group1414 Issue 2: without tokengroups, It's not considering primaryGroupID as group of the user, so this is missing from group list All tokengroups for this user $ ldapsearch -Q -h ad_server -LLL -b 'CN=user5305,CN=Users,DC=mydomain,DC=com' -s base 'objectclass=*' tokenGroups dn: CN=user5305,CN=Users,DC=mydomain,DC=com tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gBwCAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95d4AAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9FwQBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9YB0BAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I91uIAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9kQQAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9vBwCAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9594AAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gHABAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9KAYBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9C4gBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9xgQBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9fOIAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9K14AAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I97BwBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98j4BAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9sQUBAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9Zt8AAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9s7sAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95aoAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9tOIAAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98M4AAA== tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== All memberof/PrimaryGid and gidNumber for the user ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com' '(ldap_group=user5305)' | egrep "name|gidNumber|memberOf|primary|AccountName" memberOf: CN=group136,OU=Groups,DC=mydomain,DC=com memberOf: CN=group404,OU=Groups,DC=mydomain,DC=com memberOf: CN=group938,OU=Groups,DC=mydomain,DC=com memberOf: CN=group717,OU=Groups,DC=mydomain,DC=com memberOf: CN=group655,OU=Groups,DC=mydomain,DC=com memberOf: CN=group714,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1015,OU=Groups,DC=mydomain,DC=com memberOf: CN=group715,OU=Groups,DC=mydomain,DC=com memberOf: CN=group945,OU=Groups,DC=mydomain,DC=com memberOf: CN=group863,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1243,OU=Groups,DC=mydomain,DC=com memberOf: CN=group721,OU=Groups,DC=mydomain,DC=com memberOf: CN=group588,OU=Groups,DC=mydomain,DC=com memberOf: CN=group869,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1110,OU=Groups,DC=mydomain,DC=com memberOf: CN=group934,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1099,OU=Groups,DC=mydomain,DC=com memberOf: CN=group669,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1520,OU=Groups,DC=mydomain,DC=com memberOf: CN=group768,OU=Groups,DC=mydomain,DC=com memberOf: CN=group1375,OU=Groups,DC=mydomain,DC=com memberOf: CN=group226,OU=Groups,DC=mydomain,DC=com name: user5305 primaryGroupID: 513 sAMAccountName: user5305 gidNumber: 33040 check group with objectSid AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== $ ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com' '(ldap_group=group1191)' objectSid name dn: CN=Domain Users,OU=Groups,DC=mydomain,DC=com name: Domain Users objectSid:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== ldap_group: group1191 base64 of this objectSid AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA== S-1-5-21-79843086-108998794-1039276024-513 - this is the primaryGroupID, which is missing from group list From box using tokenGroup=False, see group1191 (primaryGroupID) is missing from the group list testhost4:130# tail -1 /etc/sssd/sssd.conf ldap_use_tokengroups = False testhost4:0# groups user5305 user5305 : group1520 group226 group1375 group768 group136 group1243 group669 group1099 group934 group1110 group869 group588 group721 group863 group945 group715 group1015 group714 group655 group717 group938 group404 Sanjay Agrawal

1 month

3
5
0 / 0

SSSD InfoPipe responder cache and attributes

by Lawrence Kearney

SSSD team, Hello! I'm a bit perplexed on how to validate and test data read by the Dbus/IFP responder. I'd like to better understand the cache aspects and how to validate that non-default whitelisted attributes are in fact exposed. I'm using the AD provider against a 2012 R2 back end. [sssd] config_file_version = 2 services = nss,pam,pac,ifp domains = dvc.darkvixen.com [nss] reconnection_retries = 3 filter_users = root,bin,daemon,games,gdm,lp,nobody,openslp,rpc,statd filter_groups = root,bin,daemon,sys,disk,lp,audio,floppy,cdrom,video,games [pam] [pac] [ifp] allowed_uids = root,wwwrun,sssd user_attributes = +mail,+department,+telephoneNumber,-gecos [domain/dvc.darkvixen.com] id_provider = ad enumerate = false cache_credentials = true case_sensitive = false override_homedir = /home/%u override_shell = /bin/bash override_gid = 1727401607 ldap_user_extra_attrs = mail,department,telephoneNumber Output from sssctl: # sssctl user-show msteele Name: msteele Cache entry creation date: 01/08/21 10:14:35 Cache entry last update time: 01/08/21 14:04:18 Cache entry expiration time: 01/08/21 15:34:18 Initgroups expiration time: 01/08/21 15:34:18 Cached in InfoPipe: No # sssctl user-checks msteele user: msteele action: acct service: system-auth SSSD nss user lookup result: - user name: msteele - user id: 1727401116 - group id: 1727401607 - gecos: Ming Steele - home directory: /home/msteele - shell: /bin/bash SSSD InfoPipe user lookup result: - name: msteele - uidNumber: 1727401116 - gidNumber: 1727400513 - gecos: - homeDirectory: /home/msteele - loginShell: /bin/bash testing pam_acct_mgmt pam_acct_mgmt: Success PAM Environment: - no env - Should the attributes in fact be cached and displayed? Packages installed: # rpm -qa | grep sss python-sssdconfig-1.16.5-10.el7_9.5.noarch sssd-client-1.16.5-10.el7_9.5.armv7hl libsss_autofs-1.16.5-10.el7_9.5.armv7hl sssd-common-1.16.5-10.el7_9.5.armv7hl libsss_simpleifp-1.16.5-10.el7_9.5.armv7hl sssd-ad-1.16.5-10.el7_9.5.armv7hl libsss_idmap-1.16.5-10.el7_9.5.armv7hl libsss_certmap-1.16.5-10.el7_9.5.armv7hl sssd-libwbclient-1.16.5-10.el7_9.5.armv7hl libsss_sudo-1.16.5-10.el7_9.5.armv7hl sssd-polkit-rules-1.16.5-10.el7_9.5.armv7hl sssd-dbus-1.16.5-10.el7_9.5.armv7hl sssd-common-pac-1.16.5-10.el7_9.5.armv7hl sssd-tools-1.16.5-10.el7_9.5.armv7hl sssd-ldap-1.16.5-10.el7_9.5.armv7hl libsss_nss_idmap-1.16.5-10.el7_9.5.armv7hl sssd-krb5-common-1.16.5-10.el7_9.5.armv7hl python-sss-1.16.5-10.el7_9.5.armv7hl sssd-krb5-1.16.5-10.el7_9.5.armv7hl -- lawrence

1 month, 2 weeks

2
1
0 / 0

Failed to change user login shell via chsh on SSSD client connected to 389ds

by SJTU

Hi, We host a 389ds LDAP service and connect it via SSSD. All servers and clients are on CentOS 7. ldapmodify and passwd work well. But we fail to change user login shell via chsh. For example, $ chsh -s /bin/bash Changing shell for hpc-jianwen. Password: chsh: user "hpc-jianwen" does not exist. $ id hpc-jianwen uid=1513(hpc-jianwen) gid=1514(hpc-jianwen) groups=1514(hpc-jianwen) Any suggestion is welcome. Thank you! Jianwen

1 month, 2 weeks

3
3
0 / 0

fast tunnel and authentication indicator

by Abdelkader Chelouah

Hello, I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication indicator "*strong*". $ cat kdc.conf ... [otp] softid = { server = 192.168.0.68:1812 secret = /etc/.radius.secret strip_realm = true indicator = strong #timeout = <integer> (default: 5 [seconds]) #retries = <integer> (default: 3) } The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and *bob.* $ kadmin.local getstrs alice otp: [{"type":"softid"}] $ kadmin.local getstrs bob otp: [{"type":"softid"} Alice's password was purged with the command kadmin.local purgekeys -all alice On the sssd host (RHEL 7.9), sssd service uses the following configuration file [sssd] domains = DNS.PODMAN services = nss,pam,ssh config_file_version = 2 debug_level = 9 [nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 debug_level = 9 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 [domain/DNS.PODMAN] debug_level = 0x04000 id_provider = ldap ldap_uri = ldaps://kerb.dns.podman:636/ ldap_search_base = dc=dns,dc=podman ldap_schema = rfc2307bis ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca.crt ldap_sasl_mech = gssapi ldap_sasl_authid = sssd/sssd.dns.podman ldap_krb5_keytab = /etc/sssd/sssd.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400 ldap_user_search_base = ou=people,dc=dns,dc=podman ldap_user_object_class = posixAccount ldap_group_search_base = ou=groups,dc=dns,dc=podman ldap_group_object_class = groupOfNames ldap_group_gid_number = gidNumber ldap_group_member = member auth_provider = krb5 krb5_server = kerb.dns.podman krb5_realm = DNS.PODMAN cache_credentials = true krb5_keytab = /etc/krb5.keytab krb5_use_fast = try krb5_fast_principal = host/sssd.dns.podman min_id = 10000 max_id = 20000 #enumerate = False enumerate = True [ssh] debug_level = 9 # klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/sssd.dns.podman(a)DNS.PODMAN 2 host/sssd.dns.podman(a)DNS.PODMAN 2 host/sssd.dns.podman(a)DNS.PODMAN 2 host/sssd.dns.podman(a)DNS.PODMAN 2 host/sssd.dns.podman(a)DNS.PODMAN 2 host/sssd.dns.podman(a)DNS.PODMAN The service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value. $ kadmin getstrs host/sssd.dns.podman require_auth: strong When ssh to the sssd host with *alice* account, authentication using otp is working fine [root@client /]# ssh alice@sssd alice@sssd's password: <otp value> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman [alice@sssd ~] However, if I ssh to the sssd host with *bob* account, I can login with bob's password even if the service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value [root@client /]# ssh bob@sssd bob@sssd's password: <bob's password> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman [bob@sssd ~]$ 1. Why password authentication for bob principal succeeded while authentication indicator is "strong" ? 2. Is it possible to configure sssd to enforce "otp" authentication ?

1 month, 2 weeks

2
7
0 / 0

select sssd method for authentication

by mbalembo

Hello, I would like to configure pam_sss.so as to separate authentication methods ; in my case i use both password and smartcard. My problem is that when a smartcard is inserted, you can't use password anymore because it will prompt for the PIN and fail without fallback. Ideally i'd like to configure pam/sssd/sddm to try the "password" as a password, then try as a PIN for inserted smartcards. Can i configure sssd to do that ? My understanding in that even if you set pam_sss to/try_cert_auth/, it will not fallback to password if a smartcard is inserted. Thanks for your help, Marc

1 month, 2 weeks

3
4
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users January 2021