problem obtaining kerberos ticket with sssd
by mbalembo
Hello,
I have trouble obtaining a kerberos ticket when loggin with sssd.
in /var/log/sssd/krb5_child.log i get the line :
[[sssd[krb5_child[9521]]]] [unpack_buffer] (0x0100): cmd [241] uid
[10007] gid [10000] validate [false] enterprise principal [true] offline
[false] UPN [USER@MYDOMAIN]
My problem is i need to restart the service to switch this to "offline
[false]".
(Note that authentication works otherwise, it's just the kerberos ticket
that is missing).
Maybe I missed an option to set the update rate ?
Thanks,
Marc
1 week, 2 days
sudo (with sssd) command duration 50ms -> 400ms performance degradation
by Judd Gaddie
Hi, We have noticed a performance regression on some of our boxes when we upgraded from
Ubuntu 18.04 (sssd 1.16.1-1ubuntu1.7) (sudo 1.8.21p2) -> Ubuntu 20.04 (sssd
2.2.3-3ubuntu0.1) (sudo 1.8.31) (however it was not universal, some Ubuntu 20.04 boxes are
fine) joined to a FreeIPA domain.
We have noticed the following line takes a long when turned on sudo debug logging (not
sure if this is red hearing) sudo_pam_approval @ ../../../plugins/sudoers/auth/pam.c:330
Any idea what may cause this, or something to try would be much appreciated?
see benchmark
Ubuntu 18.04
./hyperfine "sudo -u user true" --warmup 5
Benchmark #1: sudo -u trans true
Time (mean ± σ): 51.0 ms ± 24.6 ms [User: 5.7 ms, System: 3.5 ms]
Range (min … max): 42.1 ms … 236.7 ms 60 runs
Ubuntu 20.04
Benchmark #1: sudo -u user true
Time (mean ± σ): 436.0 ms ± 36.1 ms [User: 15.2 ms, System: 14.7 ms]
Range (min … max): 407.4 ms … 534.3 ms 10 runs
2 weeks, 3 days
[[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts
by Rudi Dayan
Hello,
I would like to implement smartcard authentication to Microsoft AD with sssd on Ubuntu 20.04 LTS.
I am able to login to AD with a password but when I try to use a smartcard, after a minute of timeout the password window pops up and even if I put the correct password, I get the following error : "Authentication failure".
When I used kinit using a smartcard with the same user the action succeed and I got TGT.
I would appreciate your help on this subject.
I have attached the configuration files : krb5.conf ,sssd.conf and the log file : krb5_child.log
Thank you,
Rudi
#####################################
krb5.conf
#####################################
[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
default_realm = DOMAIN.TEST
# dns_lookup_realm = true
# dns_lookup_kdc = true
ticket_lifetime = 24h #
renew_lifetime = 7d
# forwardable = true
# rdns = false
pkinit_kdc_hostname = DC.DOMAIN.TEST
# pkinit_allow_upn = true
pkinit_anchors = DIR:/etc/rootcas/
pkinit_pool = DIR:/etc/rootcas/
pkinit_identities = PKCS11:/lib/libsadaptor.so
default_ccache_name = KEYRING:persistent:%{uid}
canonicalize = true
# The following krb5.conf variables are only for MIT Kerberos.
# kdc_timesync = 1
# ccache_type = 4
# proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
######################
sssd.conf
######################
[sssd]
domains = domain.test
config_file_version = 2
services = nss, pam
debug_level = 10
[domain/domain.test]
debug_level = 10
#
ad_domain = domain.test
krb5_realm = DOMAIN.TEST
realmd_tags = manages-system joined-with-adcli
access_provider = ad
auth_provider = ad
id_provider = ad
ldap_id_mapping = True
#
# cache_credentials = True
# krb5_store_password_if_offline = True
#
use_fully_qualified_names = False
default_shell = /bin/bash
fallback_homedir = /home/%u@%d
[pam]
debug_level = 10
pam_cert_auth = True
#######################
krb5-child.log
#######################
Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): krb5_child started.
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x1000): total buffer size: [152]
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x0100): cmd [249] uid [270401103] gid [270400513] validate [true] enterprise principal [true] offline [false] UPN [test_user(a)DOMAIN.TEST]
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:270401103] old_ccname: [KEYRING:persistent:270401103] keytab: [/etc/krb5.keytab]
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [check_use_fast] (0x0100): Not using FAST.
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [become_user] (0x0200): Trying to become user [270401103][270400513].
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x2000): Running as [270401103][270400513].
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_lifetime_options] (0x0100): No specific lifetime requested.
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): Will perform pre-auth
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [DOMAIN.TEST]
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874510: Getting initial credentials for test_user\@DOMAIN.TEST(a)DOMAIN.TEST
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874512: Sending unauthenticated request
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874513: Sending request (229 bytes) to DOMAIN.TEST
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874514: Sending initial UDP request to dgram 10.0.0.3:88
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874515: Received answer (197 bytes) from dgram 10.0.0.3:88
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874516: Response was from master KDC
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874517: Received error from KDC: -1765328359/Additional pre-authentication required
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874520: Preauthenticating using KDC method data
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874521: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874522: Selected etype info: etype aes256-cts, salt "DOMAIN.TESTtest_user", params ""
(Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_responder] (0x4000): Got question [pkinit].
(Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/lib/libsadaptor.so:slotid=2:token=Crypto Token] flags [0].
(Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Crypto Token PIN].
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291326: PKINIT client has no configured identity; giving up
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291327: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291328: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291329: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for test_user\@DOMAIN.TEST(a)DOMAIN.TEST].
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291330: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_get_init_creds_password] (0x0020): 1627: [-1765328174][Pre-authentication failed: Preauthentication failed]
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [k5c_send_data] (0x0200): Received error code 0
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [pack_response_packet] (0x2000): response packet size: [12]
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [k5c_send_data] (0x4000): Response sent.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): krb5_child completed successfully
4 weeks, 1 day
Ubuntu and self-signed server certificate
by Todor Petkov
Hello,
I am trying to configure SSSD on Ubuntu 20.04 against 389-DS server with
self-signed certificate. Upon starting sssd, I get this message in
/var/log/syslog :
Could not start TLS encryption. Key usage violation in certificate has
been detected
I tried adding the following lines in the domain section of sssd.conf,
but to no avail:
certificate_verification = no_verification
ldap_tls_reqcert = allow
Can someone advise, how can I turn certificate check off? SSSD version
is 2.2.3-3ubuntu0.2
Thanks in advance
1 month
ldap_use_tokengroups=False is not returning correct results
by Sanjay Agrawal
We are noticing that with ldap_use_tokengroups=False is not returning same results as with tokengroups. We think, it is due to two issues show below. Can you please confirm if they are a known issues.
Thanks,
Issue 1: It is not checking nested membership of gidNumber group, so missing group "group1498" from the list
$ ldapsearch -Q -h ad_server -LLL -b 'CN=user3901,OU=Service Accounts,DC=mydomain,DC=com' -s base 'objectclass=*' | grep -E "primaryGroupID|gidNumber|memberOf"
memberOf: CN=group548,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1414,OU=Groups,DC=mydomain,DC=com
primaryGroupID: 513
gidNumber: 32771
$ ldapsearch -Q -h ad_server -LLL -b 'OU=Groups,DC=mydomain,DC=com' '(msSFU30Name=group1191)' | grep -E "gidNumber|memberOf"
memberOf: CN=group1498,CN=Builtin,DC=mydomain,DC=com
gidNumber: 32771
testhost4:0# tail -1 /etc/sssd/sssd.conf
ldap_use_tokengroups = False
testhost4:0# groups user3901
user3901 : group1191 group548 group1414
Issue 2: without tokengroups, It's not considering primaryGroupID as group of the user, so this is missing from group list
All tokengroups for this user
$ ldapsearch -Q -h ad_server -LLL -b 'CN=user5305,CN=Users,DC=mydomain,DC=com' -s base 'objectclass=*' tokenGroups
dn: CN=user5305,CN=Users,DC=mydomain,DC=com
tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gBwCAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95d4AAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9FwQBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9YB0BAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I91uIAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9kQQAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9vBwCAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9594AAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9gHABAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9KAYBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9C4gBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9xgQBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9fOIAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9K14AAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I97BwBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98j4BAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9sQUBAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9Zt8AAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9s7sAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I95aoAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9tOIAAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I98M4AAA==
tokenGroups:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
All memberof/PrimaryGid and gidNumber for the user
ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com' '(ldap_group=user5305)' | egrep "name|gidNumber|memberOf|primary|AccountName"
memberOf: CN=group136,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group404,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group938,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group717,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group655,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group714,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1015,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group715,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group945,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group863,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1243,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group721,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group588,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group869,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1110,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group934,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1099,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group669,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1520,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group768,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group1375,OU=Groups,DC=mydomain,DC=com
memberOf: CN=group226,OU=Groups,DC=mydomain,DC=com
name: user5305
primaryGroupID: 513
sAMAccountName: user5305
gidNumber: 33040
check group with objectSid AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
$ ldapsearch -Q -h ad_server -LLL -b 'DC=mydomain,DC=com' '(ldap_group=group1191)' objectSid name
dn: CN=Domain Users,OU=Groups,DC=mydomain,DC=com
name: Domain Users
objectSid:: AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
ldap_group: group1191
base64 of this objectSid AQUAAAAAAAUVAAAADk/CBIowfwb4F/I9AQIAAA==
S-1-5-21-79843086-108998794-1039276024-513
- this is the primaryGroupID, which is missing from group list
From box using tokenGroup=False, see group1191 (primaryGroupID) is missing from the group list
testhost4:130# tail -1 /etc/sssd/sssd.conf
ldap_use_tokengroups = False
testhost4:0# groups user5305
user5305 : group1520 group226 group1375 group768 group136 group1243 group669 group1099 group934 group1110 group869 group588 group721 group863 group945 group715 group1015 group714 group655 group717 group938 group404
Sanjay Agrawal
1 month
SSSD InfoPipe responder cache and attributes
by Lawrence Kearney
SSSD team,
Hello! I'm a bit perplexed on how to validate and test data read by the
Dbus/IFP responder. I'd like to better understand the cache aspects and how
to validate that non-default whitelisted attributes are in fact exposed.
I'm using the AD provider against a 2012 R2 back end.
[sssd]
config_file_version = 2
services = nss,pam,pac,ifp
domains = dvc.darkvixen.com
[nss]
reconnection_retries = 3
filter_users = root,bin,daemon,games,gdm,lp,nobody,openslp,rpc,statd
filter_groups = root,bin,daemon,sys,disk,lp,audio,floppy,cdrom,video,games
[pam]
[pac]
[ifp]
allowed_uids = root,wwwrun,sssd
user_attributes = +mail,+department,+telephoneNumber,-gecos
[domain/dvc.darkvixen.com]
id_provider = ad
enumerate = false
cache_credentials = true
case_sensitive = false
override_homedir = /home/%u
override_shell = /bin/bash
override_gid = 1727401607
ldap_user_extra_attrs = mail,department,telephoneNumber
Output from sssctl:
# sssctl user-show msteele
Name: msteele
Cache entry creation date: 01/08/21 10:14:35
Cache entry last update time: 01/08/21 14:04:18
Cache entry expiration time: 01/08/21 15:34:18
Initgroups expiration time: 01/08/21 15:34:18
Cached in InfoPipe: No
# sssctl user-checks msteele
user: msteele
action: acct
service: system-auth
SSSD nss user lookup result:
- user name: msteele
- user id: 1727401116
- group id: 1727401607
- gecos: Ming Steele
- home directory: /home/msteele
- shell: /bin/bash
SSSD InfoPipe user lookup result:
- name: msteele
- uidNumber: 1727401116
- gidNumber: 1727400513
- gecos:
- homeDirectory: /home/msteele
- loginShell: /bin/bash
testing pam_acct_mgmt
pam_acct_mgmt: Success
PAM Environment:
- no env -
Should the attributes in fact be cached and displayed?
Packages installed:
# rpm -qa | grep sss
python-sssdconfig-1.16.5-10.el7_9.5.noarch
sssd-client-1.16.5-10.el7_9.5.armv7hl
libsss_autofs-1.16.5-10.el7_9.5.armv7hl
sssd-common-1.16.5-10.el7_9.5.armv7hl
libsss_simpleifp-1.16.5-10.el7_9.5.armv7hl
sssd-ad-1.16.5-10.el7_9.5.armv7hl
libsss_idmap-1.16.5-10.el7_9.5.armv7hl
libsss_certmap-1.16.5-10.el7_9.5.armv7hl
sssd-libwbclient-1.16.5-10.el7_9.5.armv7hl
libsss_sudo-1.16.5-10.el7_9.5.armv7hl
sssd-polkit-rules-1.16.5-10.el7_9.5.armv7hl
sssd-dbus-1.16.5-10.el7_9.5.armv7hl
sssd-common-pac-1.16.5-10.el7_9.5.armv7hl
sssd-tools-1.16.5-10.el7_9.5.armv7hl
sssd-ldap-1.16.5-10.el7_9.5.armv7hl
libsss_nss_idmap-1.16.5-10.el7_9.5.armv7hl
sssd-krb5-common-1.16.5-10.el7_9.5.armv7hl
python-sss-1.16.5-10.el7_9.5.armv7hl
sssd-krb5-1.16.5-10.el7_9.5.armv7hl
-- lawrence
1 month, 2 weeks
Failed to change user login shell via chsh on SSSD client connected to 389ds
by SJTU
Hi,
We host a 389ds LDAP service and connect it via SSSD. All servers and clients are on CentOS 7. ldapmodify and passwd work well. But we fail to change user login shell via chsh. For example,
$ chsh -s /bin/bash
Changing shell for hpc-jianwen.
Password:
chsh: user "hpc-jianwen" does not exist.
$ id hpc-jianwen
uid=1513(hpc-jianwen) gid=1514(hpc-jianwen) groups=1514(hpc-jianwen)
Any suggestion is welcome.
Thank you!
Jianwen
1 month, 2 weeks
fast tunnel and authentication indicator
by Abdelkader Chelouah
Hello,
I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication
indicator "*strong*".
$ cat kdc.conf
...
[otp]
softid = {
server = 192.168.0.68:1812
secret = /etc/.radius.secret
strip_realm = true
indicator = strong
#timeout = <integer> (default: 5 [seconds])
#retries = <integer> (default: 3)
}
The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice*
and *bob.*
$ kadmin.local getstrs alice
otp: [{"type":"softid"}]
$ kadmin.local getstrs bob
otp: [{"type":"softid"}
Alice's password was purged with the command
kadmin.local purgekeys -all alice
On the sssd host (RHEL 7.9), sssd service uses the following
configuration file
[sssd]
domains = DNS.PODMAN
services = nss,pam,ssh
config_file_version = 2
debug_level = 9
[nss]
filter_users = root
filter_groups = root
reconnection_retries = 3
entry_cache_nowait_percentage = 75
debug_level = 9
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[domain/DNS.PODMAN]
debug_level = 0x04000
id_provider = ldap
ldap_uri = ldaps://kerb.dns.podman:636/
ldap_search_base = dc=dns,dc=podman
ldap_schema = rfc2307bis
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_sasl_mech = gssapi
ldap_sasl_authid = sssd/sssd.dns.podman
ldap_krb5_keytab = /etc/sssd/sssd.keytab
ldap_krb5_init_creds = true
ldap_krb5_ticket_lifetime = 86400
ldap_user_search_base = ou=people,dc=dns,dc=podman
ldap_user_object_class = posixAccount
ldap_group_search_base = ou=groups,dc=dns,dc=podman
ldap_group_object_class = groupOfNames
ldap_group_gid_number = gidNumber
ldap_group_member = member
auth_provider = krb5
krb5_server = kerb.dns.podman
krb5_realm = DNS.PODMAN
cache_credentials = true
krb5_keytab = /etc/krb5.keytab
krb5_use_fast = try
krb5_fast_principal = host/sssd.dns.podman
min_id = 10000
max_id = 20000
#enumerate = False
enumerate = True
[ssh]
debug_level = 9
# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 host/sssd.dns.podman(a)DNS.PODMAN
2 host/sssd.dns.podman(a)DNS.PODMAN
2 host/sssd.dns.podman(a)DNS.PODMAN
2 host/sssd.dns.podman(a)DNS.PODMAN
2 host/sssd.dns.podman(a)DNS.PODMAN
2 host/sssd.dns.podman(a)DNS.PODMAN
The service principal host/sssd.dns.podman is configured to require the
"strong" authentication indicator value.
$ kadmin getstrs host/sssd.dns.podman
require_auth: strong
When ssh to the sssd host with *alice* account, authentication using otp
is working fine
[root@client /]# ssh alice@sssd
alice@sssd's password: <otp value>
Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman
[alice@sssd ~]
However, if I ssh to the sssd host with *bob* account, I can login with
bob's password even if the service principal host/sssd.dns.podman is
configured to require the "strong" authentication indicator value
[root@client /]# ssh bob@sssd
bob@sssd's password: <bob's password>
Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman
[bob@sssd ~]$
1. Why password authentication for bob principal succeeded while
authentication indicator is "strong" ?
2. Is it possible to configure sssd to enforce "otp" authentication ?
1 month, 2 weeks
select sssd method for authentication
by mbalembo
Hello,
I would like to configure pam_sss.so as to separate authentication methods ;
in my case i use both password and smartcard.
My problem is that when a smartcard is inserted, you can't use password
anymore because
it will prompt for the PIN and fail without fallback.
Ideally i'd like to configure pam/sssd/sddm to try the "password" as a
password, then try as a PIN for inserted smartcards.
Can i configure sssd to do that ?
My understanding in that even if you set pam_sss to/try_cert_auth/, it will
not fallback to password if a smartcard is inserted.
Thanks for your help,
Marc
1 month, 2 weeks