sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
1 year, 4 months
kcm, gssproxy and klist
by Winberg Adam
With KCM and gssproxy we often see a long list of credentials when doing a 'klist':
[user.u@lxserv2114 ~]$ klist
Ticket cache: KCM:17098:66803
Default principal: user.u@AD
Valid starting Expires Service principal
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
and so on...
The actual gssproxy credentials at /var/lib/gssproxy/clients/ does not correspond with this output, it only contains what could be expected - a TGT and maybe some service tickets.
The ever growing 'klist' list of credentials is a problem, after a while the user can no longer get any new credentials and therefore has no access to its NFS homedir (sec=krb5). I'm guessing it's the 'max_uid_ccaches' option in sssd-kcm that prevents this.
What is going on here - have we configured gssproxy/kcm wrong or is this a bug?
Regards
Adam
1 year, 5 months
SSSD keeps retrieving LDAP groups while online, degrading performance (no matter what settings I try)
by Robert Wagensveld
Hi all,
We've been using SSSD for a while successfully in our Kerberos over LDAP enterprise environment. However, our SSSD online query time, especially over VPN, is very poor, usually each login request or sudo requests takes about 1 minute. There does not seem to be a way around it, not even forcing SSSD to use the cache for a while even when online again. entry_cache_timeout does not help. Is there anything I'm missing? Some configuration options I do not know about yet?
[sssd]
config_file_version = 2
services = nss, pam, ifp
domains = company.nl
debug_level = 9
[nss]
entry_cache_nowait_percentage = 5
filter_groups = root
filter_users = root
debug_level = 9
[pam]
offline_failed_login_attempts = 3
offline_failed_login_delay = 30
debug_level = 9
[domain/company.nl]
debug_level = 9
id_provider = ldap
ignore_group_members = true
auth_provider = krb5
chpass_provider = krb5
access_provider = permit
cache_credentials = true
min_id = 1000
entry_cache_timeout = 28800
krb5_realm = COMPANY.NL
krb5_canonicalize = false
krb5_renewable_lifetime = 24h
krb5_renew_interval = 6h
krb5_server = dc03.company.nl
krb5_store_password_if_offline = true
krb5_ccname_template = FILE:%d/krb5cc_%U
ldap_uri = ldap://dc03.company.nl
ldap_search_base = DC=Company,DC=nl
ldap_user_search_base = OU=CompanyCompany,DC=nl
ldap_group_search_base = OU=Company,DC=Company,DC=nl??
ldap_referrals = false
enumerate = false
ldap_force_upper_case_realm = true
ldap_schema = rfc2307bis
ldap_id_use_start_tls = false
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_sasl_canonicalize = true
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = gecos
ldap_user_shell = loginShell
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = nonExistingAttribute
ldap_group_object_class = group
ldap_group_name = cn
ldap_group_gid_number = gidNumber
ldap_group_member = member
1 year, 6 months
Samba filesharing, ssh and sssd
by Harald 11
Hello!
I am using sssd 2.4 with Debian 11.
I try to setup a samba server within a samba ads domain. I did several approches, sssd with ad and ldap configuration and samba with ad, sss and nss backend.
Basic setup with sssd went good, login via ssh works. UID and GID are well too But I do not get samba run well. Either my user can't access server and see shares, nor I can access shares but UID and GID are wrong.
Which way is best to get ssh and samba running with sssd?
1 year, 6 months
Re: SSSD and Kerberos-related problems during joining a RHEL8.4-host to AD
by Spike White
Yeah,
When 'kinit -k' is failing, you have really fundamental Kerberos failures
going on. It's not even involving sssd at that point. Usually,
1. your entries in /etc/krb5.keytab file are stale or wrong, or
2. it can't find or access your AD DCs or
3. other DNS problems.
You can run 'kinit -k' in debug mode (export KRB5_TRACE=/tmp/krb5.out) and
view that debug file to see more specifics about the specific failure.
For instance, we have two Linux VMs in a cloud provider now where the AD
integration is misbehaving. kinit -k is failing. From the debug log of
'kinit -k', we can tell it's the DNS discovers of the AD DCs that's
failing. Turns out, it's a stealth MTU problem.
I believe until recently, sssd didn't support storing its kerberos creds in
the KCM, so your particular error condition is not one I've run across yet.
Glad to hear your problem is resolved.
Spike
On Fri, Nov 19, 2021 at 5:55 AM Aron Kelemen Szabo <
aron.kelemen(a)stralfors.se> wrote:
> Hi again!
>
>
>
> I think I have found the problem! 😊
>
>
>
> kinit -k returned the following error:
>
> kinit: Connection refused while getting default ccache
>
> …while kvno -S host TEST0003 returned the following error:
>
> kvno: Connection refused while opening ccache
>
>
>
> A bit of googling on these error messages revealed that the culprit might
> be the KCM-service not running... When googling a bit on the error messages
> thrown by kinit and kvno and issuing the following commands revealed that
> this was indeed the case.
>
> systemctl status sssd-kcm.socket
>
> systemctl status sssd-kcm.service
>
>
>
> I came across this error report which among other things recommends
> upgrading the packages:
> https://bugzilla.redhat.com/show_bug.cgi?id=1716981
>
>
>
> So I run a “yum update” and re-joined the host to the realm, and now the
> AD-logons seem to be working fine! Now I “only” need to find out the very
> happening that rendered KCM to fail. :-)
>
>
>
> Thanks for all your input again!
>
>
>
> Best regards,
>
> Áron
>
>
>
>
>
> *From:* Spike White <spikewhitetx(a)gmail.com>
> *Sent:* den 18 november 2021 18:46
> *To:* End-user discussions about the System Security Services Daemon <
> sssd-users(a)lists.fedorahosted.org>
> *Subject:* [SSSD-users] Re: SSSD and Kerberos-related problems during
> joining a RHEL8.4-host to AD
>
>
>
> Aron,
>
>
>
> Several things. Some backgroun -- in our company, we have thousands of
> OL8.x and hundreds of RHEL 8.x Linux servers directly AD integrated to our
> corp AD domain.
>
>
>
> I compared our sssd.conf with yours. I think you want to add the 'ifp'
> service for *L8. It's the infopipe service. Used by support utilities
> such as sssctl domain-list, etc.
>
>
>
> I thought you had to have a sssd.conf stanza for each service you enable.
> For instance, we have this:
>
>
>
> [nss]
> debug_level = 0x0100
> #debug_level = 9
> filter_groups = root
> filter_users = root
>
> [pam]
> pam_verbosity = 3
> #debug_level = 9
> offline_credentials_expiration = 3
>
> [ifp]
>
>
>
> Because we have
>
> [sssd]
>
> ...
>
> services = nss,pam,ifp
>
>
>
>
>
> From your ldap_child.log, it looks like your SASL bind and then the LDAP
> query is working. Which is surprising to me. We set up
>
>
>
> ldap_sasl_authid = host/<fqdn>@<ad domain>
>
>
>
> in our sssd.conf file. But I'm guessing if that's not explicitly set, it
> uses HOSTNAME$@REALM. At least that's what it appears from your
> ldap_child.log. It appears to use: TEST0003$(a)ourlab.se
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fourlab.s...>
>
>
>
> Several things to try to narrow down where the failure is occuring.
>
> 1. try 'kinit -k' on the command line. That uses the first entry in
> /etc/krb5.keytab file to attempt to authenticate as this machine account.
> It's not a perfect test, since it's acquiring a TGT ticket instead of a
> service ticket.
>
> 2. If that succeeds, try kvno -S host TEST0003
>
> That should report the KVNO of your machine account credentials, as
> stored in AD. This is a better test, as you're acquiring a service ticket
> here. (Like sssd does).
>
> 3. Try 'adcli testjoin -D ourlab.se
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fourlab.s...>
> -v'. This tests the sssd connectivity, similar to how sssd does it.
>
>
>
> if all that works, your problem is not with LDAP or your SASL binding. So
> then,
>
>
>
> 4. try 'getent passwd aron.kelemen(a)ourlab.se'. That should return the
> entry for this user. If this fails, possibly your /etc/nsswitch.conf file
> isn't set up right or maybe your attribute mapping in AD isn't agreeing
> with your sssd.conf setting. (We use the MS-supported RFC2307bis AD schema
> extension)..
>
>
>
> 5. If that's good, then probably the problem is something in your PAM
> stack. Specifically, the auth phase. In our /etc/pam.d/sshd file, we
> have:
>
>
>
> #%PAM-1.0
> auth substack password-auth
> auth include postlogin
>
> ...
>
>
>
> and in password-auth, we have:
>
>
>
> auth required pam_env.so
> # OL7/8 version. Per I/T's stated policy for service & process accounts,
> lock-out time = 30 mins
> auth required pam_faillock.so
> preauth silent deny=5 unlock_time=1800
> auth sufficient pam_sss.so
> forward_pass
> auth sufficient pam_unix.so
> nullok try_first_pass
> auth requisite pam_succeed_if.so
> uid >= 1000 quiet_success
> auth required pam_faillock.so
> authfail deny=5 unlock_time=1800
> auth required pam_deny.so
>
>
>
>
>
> Spike
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
1 year, 6 months
Re: SSSD and Kerberos-related problems during joining a RHEL8.4-host to AD
by Spike White
Aron,
Several things. Some backgroun -- in our company, we have thousands of
OL8.x and hundreds of RHEL 8.x Linux servers directly AD integrated to our
corp AD domain.
I compared our sssd.conf with yours. I think you want to add the 'ifp'
service for *L8. It's the infopipe service. Used by support utilities
such as sssctl domain-list, etc.
I thought you had to have a sssd.conf stanza for each service you enable.
For instance, we have this:
[nss]
debug_level = 0x0100
#debug_level = 9
filter_groups = root
filter_users = root
[pam]
pam_verbosity = 3
#debug_level = 9
offline_credentials_expiration = 3
[ifp]
Because we have
[sssd]
...
services = nss,pam,ifp
From your ldap_child.log, it looks like your SASL bind and then the LDAP
query is working. Which is surprising to me. We set up
ldap_sasl_authid = host/<fqdn>@<ad domain>
in our sssd.conf file. But I'm guessing if that's not explicitly set, it
uses HOSTNAME$@REALM. At least that's what it appears from your
ldap_child.log. It appears to use: TEST0003$(a)ourlab.se
Several things to try to narrow down where the failure is occuring.
1. try 'kinit -k' on the command line. That uses the first entry in
/etc/krb5.keytab file to attempt to authenticate as this machine account.
It's not a perfect test, since it's acquiring a TGT ticket instead of a
service ticket.
2. If that succeeds, try kvno -S host TEST0003
That should report the KVNO of your machine account credentials, as
stored in AD. This is a better test, as you're acquiring a service ticket
here. (Like sssd does).
3. Try 'adcli testjoin -D ourlab.se -v'. This tests the sssd connectivity,
similar to how sssd does it.
if all that works, your problem is not with LDAP or your SASL binding. So
then,
4. try 'getent passwd aron.kelemen(a)ourlab.se'. That should return the
entry for this user. If this fails, possibly your /etc/nsswitch.conf file
isn't set up right or maybe your attribute mapping in AD isn't agreeing
with your sssd.conf setting. (We use the MS-supported RFC2307bis AD schema
extension)..
5. If that's good, then probably the problem is something in your PAM
stack. Specifically, the auth phase. In our /etc/pam.d/sshd file, we
have:
#%PAM-1.0
auth substack password-auth
auth include postlogin
...
and in password-auth, we have:
auth required pam_env.so
# OL7/8 version. Per I/T's stated policy for service & process accounts,
lock-out time = 30 mins
auth required pam_faillock.so
preauth silent deny=5 unlock_time=1800
auth sufficient pam_sss.so
forward_pass
auth sufficient pam_unix.so nullok
try_first_pass
auth requisite pam_succeed_if.so
uid >= 1000 quiet_success
auth required pam_faillock.so
authfail deny=5 unlock_time=1800
auth required pam_deny.so
Spike
On Thu, Nov 18, 2021 at 7:16 AM Aron Kelemen Szabo <
aron.kelemen(a)stralfors.se> wrote:
> Hello!
>
>
>
> We are trying to join a RHEL8.4-server to our Active Directory with the
> realm name ourlab.se.
>
>
>
> Our first attempt was to follow the RedHat-guide (
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...)
> to join RHEL8.4 to an AD, also covering the installation and configuration
> of SSSD and the machine seem to have got joined to the AD (the computer
> account appears and both adcli info ourlab.se as well as the id
> USERNAME(a)ourlab.se commands return valid lookup-results from the Active
> Directory)… The TGT also seems to be fetched successfully.
>
>
>
> However, we cannot log on to the system with any AD-account and
> /var/log/sssd/krb5_child.log contains the errors below (please view the
> attached log-files for a complete log-listing), hitting the critical
> failure (SSSDBG_CRIT_FAILURE), emitting the internal error
> “[111][Connection refused]” already at the call to the function
> krb5_cc_cache_match(), called from the function create_ccache():
>
>
>
> (2021-11-18 11:02:16): [krb5_child[3585]] [sss_send_pac] (0x0080): failed
> to contact PAC responder
>
> (2021-11-18 11:02:16): [krb5_child[3585]] [validate_tgt] (0x0040):
> sss_send_pac failed, group membership for user with principal
> [aron.kelemen\@OURLAB.SE(a)OURLAB.SE] might not be correct.
>
> (2021-11-18 11:02:16): [krb5_child[3585]] [sss_child_krb5_trace_cb]
> (0x4000): [3585] 1637229736.192904: Destroying ccache MEMORY:rd_req2
>
>
>
> (2021-11-18 11:02:16): [krb5_child[3585]] [get_and_save_tgt] (0x2000):
> Running as [285279201][285200513].
>
> (2021-11-18 11:02:16): [krb5_child[3585]]
> [sss_get_ccache_name_for_principal] (0x4000): Location: [KCM:]
>
> (2021-11-18 11:02:16): [krb5_child[3585]]
> [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed:
> [111][Connection refused]
>
> (2021-11-18 11:02:16): [krb5_child[3585]] [create_ccache] (0x0020): 1000:
> [111][Connection refused]
>
> (2021-11-18 11:02:16): [krb5_child[3585]] [map_krb5_error] (0x0020): 1853:
> [111][Connection refused]
>
> (2021-11-18 11:02:16): [krb5_child[3585]] [k5c_send_data] (0x0200):
> Received error code 1432158209
>
> (2021-11-18 11:02:16): [krb5_child[3585]] [pack_response_packet] (0x2000):
> response packet size: [20]
>
> (2021-11-18 11:02:16): [krb5_child[3585]] [k5c_send_data] (0x4000):
> Response sent.
>
> (2021-11-18 11:02:16): [krb5_child[3585]] [main] (0x0400): krb5_child
> completed successfully
>
>
>
> Interestingly, the following lines appeared in /var/log/secure when
> performing the logon-attempt above (with the AD-user kelaro):
>
> Nov 18 13:12:50 test0003 sshd[4183]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.17.111.92
> user=kelaro
>
> Nov 18 13:12:50 test0003 sshd[4183]: pam_sss(sshd:auth): received for user
> kelaro: 4 (System error)
>
> Nov 18 13:12:52 test0003 sshd[4183]: Failed password for kelaro from
> 172.17.111.92 port 54138 ssh2
>
>
>
>
>
> /etc/sssd/sssd.conf contains the following settings:
>
> [sssd]
>
> domains = ourlab.se
>
> config_file_version = 2
>
> services = nss, pam
>
> default_domain_suffix = ourlab.se
>
>
>
> [domain/ourlab.se]
>
> ad_domain = ourlab.se
>
> krb5_realm = OURLAB.SE
>
> debug_level = 10
>
> ad_server = STLBYDCVPLV003.ourlab.se
>
> realmd_tags = manages-system joined-with-samba
>
> cache_credentials = True
>
> id_provider = ad
>
> ad_hostname = test0003.ourlab.se
>
> krb5_store_password_if_offline = True
>
> default_shell = /bin/bash
>
> ldap_id_mapping = True
>
> use_fully_qualified_names = True
>
> fallback_homedir = /home/%u@%d
>
> access_provider = ad
>
>
>
> We have also tried to:
>
> 1. Set krb5_validate to false as well as setting the default_ccache_name =
> FILE:/tmp/krb5cc_:%{uid} but none of these changes helped either.
>
> 2. Set the system crypto-policy from DEFAULT to DEFAULT:AD-SUPPORT
> (update-crypto-policies --set DEFAULT:AD-SUPPORT) did not help either.
>
> 3. Remove the host from the realm (realm leave), deleted it’s computer
> account from the Active Directory and tried to set it’s hostname as FDQN
> (hostnamectl set-hostname test0003.ourlab.se) and then re-joined it again
> (realm join), but still with the same results…
>
> 4. Apply the realm permit --realm=ourlab.se --all command, but we could
> still not log in with our user (kelaro(a)ourlab.se). User principal for
> kelaro(a)ourlab.se is aron.kelemen\@OURLAB.SE(a)OURLAB.SE.
>
> 5. Set realmd_tags to “manages-system joined-with-adcli”, but the problem
> still remained
>
> 6. Follow several other similar tutorials (for example
> https://www.redhat.com/sysadmin/linux-active-directory) to join the host
> to the AD, however all of them resulted in the same error described here.
>
>
>
>
>
> The following SSSD and KRB5 package-versions are installed on the host:
>
> sssd-client-2.5.2-2.el8_5.1.x86_64
>
> sssd-krb5-2.5.2-2.el8_5.1.x86_64
>
> sssd-2.5.2-2.el8_5.1.x86_64
>
> sssd-nfs-idmap-2.4.0-9.el8_4.2.x86_64
>
> sssd-common-2.5.2-2.el8_5.1.x86_64
>
> sssd-ldap-2.5.2-2.el8_5.1.x86_64
>
> sssd-proxy-2.5.2-2.el8_5.1.x86_64
>
> sssd-ipa-2.5.2-2.el8_5.1.x86_64
>
> sssd-kcm-2.5.2-2.el8_5.1.x86_64
>
> sssd-tools-2.5.2-2.el8_5.1.x86_64
>
> sssd-krb5-common-2.5.2-2.el8_5.1.x86_64
>
> sssd-common-pac-2.5.2-2.el8_5.1.x86_64
>
> sssd-ad-2.5.2-2.el8_5.1.x86_64
>
> sssd-dbus-2.5.2-2.el8_5.1.x86_64
>
> krb5-libs-1.18.2-8.3.el8_4.x86_64
>
>
>
> I have also attached the krb5_child.log and ldap_child.log (created with
> log-level 0x3ff0) after my latest logon-attempt (as the user kelaro).
>
>
>
> Any help/tips about:
>
> 1. Why the “Connection refused”-error is being generated of the
> krb5_cc_cache_match-function
> 2. Why the UPN is getting appended to the user name (
> aron.kelemen@OURLAB.SE(a)OURLAB.SE despite I have actively attempted to
> disable this by setting use_fully_qualified_names = False), and whether
> this can be declared as a fatal condition
> 3. Possible failure reasons for sss_send_pac, leading to the “failed
> to contact PAC responder” error message…
>
> …would be greatly appreciated!
>
>
>
> Med Vänliga Hälsningar / Best Regards
>
>
>
> *Áron Kelemen Szabó*
> IT Data Center Administrator / Linux Engineer
> aron.kelemen(a)stralfors.se
>
> *PostNord Strålfors AB*
>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
1 year, 6 months
SSSD and Kerberos-related problems during joining a RHEL8.4-host to AD
by Aron Kelemen Szabo
Hello!
We are trying to join a RHEL8.4-server to our Active Directory with the realm name ourlab.se.
Our first attempt was to follow the RedHat-guide (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...) to join RHEL8.4 to an AD, also covering the installation and configuration of SSSD and the machine seem to have got joined to the AD (the computer account appears and both adcli info ourlab.se as well as the id USERNAME(a)ourlab.se<mailto:USERNAME@ourlab.se> commands return valid lookup-results from the Active Directory)... The TGT also seems to be fetched successfully.
However, we cannot log on to the system with any AD-account and /var/log/sssd/krb5_child.log contains the errors below (please view the attached log-files for a complete log-listing), hitting the critical failure (SSSDBG_CRIT_FAILURE), emitting the internal error "[111][Connection refused]" already at the call to the function krb5_cc_cache_match(), called from the function create_ccache():
(2021-11-18 11:02:16): [krb5_child[3585]] [sss_send_pac] (0x0080): failed to contact PAC responder
(2021-11-18 11:02:16): [krb5_child[3585]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [aron.kelemen\@OURLAB.SE(a)OURLAB.SE] might not be correct.
(2021-11-18 11:02:16): [krb5_child[3585]] [sss_child_krb5_trace_cb] (0x4000): [3585] 1637229736.192904: Destroying ccache MEMORY:rd_req2
(2021-11-18 11:02:16): [krb5_child[3585]] [get_and_save_tgt] (0x2000): Running as [285279201][285200513].
(2021-11-18 11:02:16): [krb5_child[3585]] [sss_get_ccache_name_for_principal] (0x4000): Location: [KCM:]
(2021-11-18 11:02:16): [krb5_child[3585]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [111][Connection refused]
(2021-11-18 11:02:16): [krb5_child[3585]] [create_ccache] (0x0020): 1000: [111][Connection refused]
(2021-11-18 11:02:16): [krb5_child[3585]] [map_krb5_error] (0x0020): 1853: [111][Connection refused]
(2021-11-18 11:02:16): [krb5_child[3585]] [k5c_send_data] (0x0200): Received error code 1432158209
(2021-11-18 11:02:16): [krb5_child[3585]] [pack_response_packet] (0x2000): response packet size: [20]
(2021-11-18 11:02:16): [krb5_child[3585]] [k5c_send_data] (0x4000): Response sent.
(2021-11-18 11:02:16): [krb5_child[3585]] [main] (0x0400): krb5_child completed successfully
Interestingly, the following lines appeared in /var/log/secure when performing the logon-attempt above (with the AD-user kelaro):
Nov 18 13:12:50 test0003 sshd[4183]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.17.111.92 user=kelaro
Nov 18 13:12:50 test0003 sshd[4183]: pam_sss(sshd:auth): received for user kelaro: 4 (System error)
Nov 18 13:12:52 test0003 sshd[4183]: Failed password for kelaro from 172.17.111.92 port 54138 ssh2
/etc/sssd/sssd.conf contains the following settings:
[sssd]
domains = ourlab.se
config_file_version = 2
services = nss, pam
default_domain_suffix = ourlab.se
[domain/ourlab.se]
ad_domain = ourlab.se
krb5_realm = OURLAB.SE
debug_level = 10
ad_server = STLBYDCVPLV003.ourlab.se
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
ad_hostname = test0003.ourlab.se
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
We have also tried to:
1. Set krb5_validate to false as well as setting the default_ccache_name = FILE:/tmp/krb5cc_:%{uid} but none of these changes helped either.
2. Set the system crypto-policy from DEFAULT to DEFAULT:AD-SUPPORT (update-crypto-policies --set DEFAULT:AD-SUPPORT) did not help either.
3. Remove the host from the realm (realm leave), deleted it's computer account from the Active Directory and tried to set it's hostname as FDQN (hostnamectl set-hostname test0003.ourlab.se) and then re-joined it again (realm join), but still with the same results...
4. Apply the realm permit --realm=ourlab.se --all command, but we could still not log in with our user (kelaro(a)ourlab.se<mailto:kelaro@ourlab.se>). User principal for kelaro(a)ourlab.se<mailto:kelaro@ourlab.se> is aron.kelemen\@OURLAB.SE(a)OURLAB.SE.
5. Set realmd_tags to "manages-system joined-with-adcli", but the problem still remained
6. Follow several other similar tutorials (for example https://www.redhat.com/sysadmin/linux-active-directory) to join the host to the AD, however all of them resulted in the same error described here.
The following SSSD and KRB5 package-versions are installed on the host:
sssd-client-2.5.2-2.el8_5.1.x86_64
sssd-krb5-2.5.2-2.el8_5.1.x86_64
sssd-2.5.2-2.el8_5.1.x86_64
sssd-nfs-idmap-2.4.0-9.el8_4.2.x86_64
sssd-common-2.5.2-2.el8_5.1.x86_64
sssd-ldap-2.5.2-2.el8_5.1.x86_64
sssd-proxy-2.5.2-2.el8_5.1.x86_64
sssd-ipa-2.5.2-2.el8_5.1.x86_64
sssd-kcm-2.5.2-2.el8_5.1.x86_64
sssd-tools-2.5.2-2.el8_5.1.x86_64
sssd-krb5-common-2.5.2-2.el8_5.1.x86_64
sssd-common-pac-2.5.2-2.el8_5.1.x86_64
sssd-ad-2.5.2-2.el8_5.1.x86_64
sssd-dbus-2.5.2-2.el8_5.1.x86_64
krb5-libs-1.18.2-8.3.el8_4.x86_64
I have also attached the krb5_child.log and ldap_child.log (created with log-level 0x3ff0) after my latest logon-attempt (as the user kelaro).
Any help/tips about:
1. Why the "Connection refused"-error is being generated of the krb5_cc_cache_match-function
2. Why the UPN is getting appended to the user name (aron.kelemen@OURLAB.SE(a)OURLAB.SE<mailto:aron.kelemen@OURLAB.SE@OURLAB.SE> despite I have actively attempted to disable this by setting use_fully_qualified_names = False), and whether this can be declared as a fatal condition
3. Possible failure reasons for sss_send_pac, leading to the "failed to contact PAC responder" error message...
...would be greatly appreciated!
Med Vänliga Hälsningar / Best Regards
Áron Kelemen Szabó
IT Data Center Administrator / Linux Engineer
aron.kelemen(a)stralfors.se<mailto:aron.kelemen@stralfors.se>
PostNord Strålfors AB
1 year, 6 months
System Error (4) SSSD + Smartcard + NIS
by Leon Castellano
Hello Users,
I'm hoping with your ample expertise you may be able to help me figure out how to fix the issue I'm running into.
A bit of background for context: I'm a sysadmin with NASA out of GSFC where we manage many legacy systems still using NIS. We cannot get rid of NIS or replace it with FreeIPA/LDAP/AD/etc. It would affect systems currently processing data coming down from space craft, labs, etc.
We're currently in the process of adopting Oracle Linux 8 as the default OS for our workstations and servers. As part of this process, I need to be able to:
1) Bind to NIS for the passwd/group/netgroup DBs
2) Use smartcard for SSH/GDM/Console access
Prior to OL8 we've been relying on NIS + PAM + "pam_pkcs11.so" and that has worked well enough for most of our needs.
However, with RH8/OL8 focusing primarily on SSSD, I've been trying to switch us to it.
So far I've managed to get smartcard auth to work when the user is local (files), but when the user is coming from NIS, I am getting the following error from gdm-smartcard (REDACTED = my username) in sssd_pam.log:
(2021-11-09 19:34:12): [pam] [sbus_dispatch] (0x4000): Dispatching.
(2021-11-09 19:34:12): [pam] [cache_req_search_cache] (0x0400): CR #12: Looking up [REDACTED@nis] in cache
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f410b0
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f5e390
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f410b0 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f5e390 "ldb_kv_timeout"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f410b0 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f5c4f0
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f410b0
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f5c4f0 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f410b0 "ldb_kv_timeout"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f5c4f0 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f410b0
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f43580
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f410b0 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f632e0
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f633b0
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f43580 "ldb_kv_timeout"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f410b0 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f632e0 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f43580
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f64bc0
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f633b0 "ldb_kv_timeout"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f632e0 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f43580 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f64bc0 "ldb_kv_timeout"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f43580 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [cache_req_search_ncache_filter] (0x0400): CR #12: This request type does not support filtering result by negative cache
(2021-11-09 19:34:12): [pam] [cache_req_search_done] (0x0400): CR #12: Returning updated object [REDACTED@nis]
(2021-11-09 19:34:12): [pam] [cache_req_create_and_add_result] (0x0400): CR #12: Found 3 entries in domain nis
(2021-11-09 19:34:12): [pam] [cache_req_done] (0x0400): CR #12: Finished: Success
(2021-11-09 19:34:12): [pam] [pd_set_primary_name] (0x0400): User's primary name is REDACTED@nis
(2021-11-09 19:34:12): [pam] [pam_initgr_check_timeout] (0x4000): User [REDACTED] not found in PAM cache.
(2021-11-09 19:34:12): [pam] [pam_initgr_cache_set] (0x2000): [REDACTED] added to PAM initgroup cache
(2021-11-09 19:34:12): [pam] [pam_dp_send_req] (0x0100): Sending request with the following data:
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): domain: nis
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): user: REDACTED@nis
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): service: gdm-smartcard
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): tty: /dev/tty1
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): ruser: not set
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): rhost: not set
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): authtok type: 4 (Smart Card PIN)
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available)
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): priv: 1
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): cli_pid: 5348
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): logon name: REDACTED
(2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): flags: 528
(2021-11-09 19:34:12): [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(2021-11-09 19:34:12): [pam] [sbus_dispatch] (0x4000): Dispatching.
(2021-11-09 19:34:12): [pam] [sbus_reply_check] (0x4000): D-Bus error [sbus.Error.Errno]: 1432158215: DP target is not configured
(2021-11-09 19:34:12): [pam] [pam_dp_send_req_done] (0x0020): PAM handler failed [1432158215]: DP target is not configured
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f43580
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f64bc0
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f43580 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f64bc0 "ldb_kv_timeout"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f43580 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [pam_reply] (0x4000): pam_reply initially called with result [4]: System error. this result might be changed during processing
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f63190
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f43580
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f63190 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f43580 "ldb_kv_timeout"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f63190 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f632e0
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f63190
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f632e0 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f63190 "ldb_kv_timeout"
(2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f632e0 "ldb_kv_callback"
(2021-11-09 19:34:12): [pam] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(2021-11-09 19:34:12): [pam] [pam_reply] (0x0200): blen: 20
(2021-11-09 19:34:12): [pam] [pam_reply] (0x0200): Returning [4]: System error to the client
(2021-11-09 19:34:12): [pam] [client_recv] (0x0200): Client disconnected!
(2021-11-09 19:34:12): [pam] [client_close_fn] (0x2000): Terminated client [0x5598d1f3f0d0][26]
(2021-11-09 19:34:17): [pam] [pam_initgr_cache_remove] (0x2000): [REDACTED] removed from PAM initgroup cache
(2021-11-09 19:34:21): [pam] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x5598d1f3e560][24]
(2021-11-09 19:34:21): [pam] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x5598d1f3c870][25]
(2021-11-09 19:34:51): [pam] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x5598d1f3e560][24]
(2021-11-09 19:34:51): [pam] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x5598d1f3c870][25]
(2021-11-09 19:35:21): [pam] [client_idle_handler] (0x2000): Terminating idle client [0x5598d1f3e560][24]
(2021-11-09 19:35:21): [pam] [client_close_fn] (0x2000): Terminated client [0x5598d1f3e560][24]
(2021-11-09 19:35:21): [pam] [client_idle_handler] (0x2000): Terminating idle client [0x5598d1f3c870][25]
(2021-11-09 19:35:21): [pam] [client_close_fn] (0x2000): Terminated client [0x5598d1f3c870][25]
Here's the journalctl for gdm on debugging mode:
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: pam_sss(gdm-smartcard:auth): User info message: Please insert smart card
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: 1 new messages received from PAM
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: username is 'REDACTED'
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: old-username='<unset>' new-username='REDACTED'
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: setting username to 'REDACTED'
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: attempting to load user settings
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: trying to track new user with username REDACTED
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: finding user 'REDACTED' state 1
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: finding user 'REDACTED' state 2
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: Looking for user 'REDACTED' in accounts service
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: received pam message of type 4 with payload 'Please insert smart card'
Nov 09 19:34:04 gs66-ol8desktop gdm[5045]: GdmSession: changing username from '<unset>' to 'REDACTED'
Nov 09 19:34:04 gs66-ol8desktop gdm[5045]: GdmSession: selecting user 'REDACTED' for session '(null)' (0x55ca1196c130)
Nov 09 19:34:04 gs66-ol8desktop gdm[5045]: GdmSession: getting session command for file 'gnome.desktop'
Nov 09 19:34:04 gs66-ol8desktop gdm[5045]: GdmSession: checking if file 'gnome.desktop' is wayland session: yes
Nov 09 19:34:04 gs66-ol8desktop gdm[5045]: GdmSession: getting session command for file 'gnome.desktop'
Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: PAM conversation returning 0: Success
Nov 09 19:34:06 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: 1 new messages received from PAM
Nov 09 19:34:06 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: username is 'REDACTED'
Nov 09 19:34:06 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: old-username='REDACTED' new-username='REDACTED'
Nov 09 19:34:06 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: received pam message of type 1 with payload 'PIN for Smartcard: '
Nov 09 19:34:09 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: trying to get updated username
Nov 09 19:34:09 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: PAM conversation returning 0: Success
Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: pam_sss(gdm-smartcard:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=REDACTED
Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: pam_sss(gdm-smartcard:auth): received for user REDACTED: 4 (System error)
Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: authentication returned 7: Authentication failure
Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: uninitializing PAM
Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: state NONE
Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: Unable to verify user
Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: Found object path of user 'REDACTED': /org/freedesktop/Accounts/User2579
Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: finding user 'REDACTED' state 3
Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: user 'REDACTED' fetched
Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmSession: stopping conversation gdm-smartcard
Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmSessionWorkerJob: Stopping job pid:5348
Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmCommon: sending signal 15 to process 5348
Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmSessionWorkerJob: child (pid:5348) done (status:0)
Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmSession: Worker job exited: 0
Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmSession: Emitting conversation-stopped signal
Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmManager: session conversation 'gdm-smartcard' stopped
Nov 09 19:34:14 gs66-ol8desktop gdm[5045]: GdmManager: Session was cancelled
Nov 09 19:34:14 gs66-ol8desktop gdm[5045]: GdmSession: Stopping all conversations
Nov 09 19:34:14 gs66-ol8desktop gdm[5045]: GdmManager: trying to open new session
In order for SSSD to know about the NIS users I added a "domain" entry using "proxy" "nis"
Here's my sssd.conf:
[sssd]
services = nss, pam
domains = files, nis
certificate_verification = ocsp_dgst=sha1,soft_ocsp
debug_level = 10
use_fully_qualified_domain_name = False
[nss]
[pam]
pam_cert_auth = True
pam_cert_db_path = /etc/sssd/pki/linuxIdentity.pem
debug_level = 10
[domain/files]
id_provider = files
debug_level = 10
[domain/nis]
id_provider = proxy
auth_provider = none
proxy_lib_name = nis
#enumerate = true
#cache_credentials = true
debug_level = 10
I know this is working because "getent passwd <user>" works fine to retrieve info about an NIS user, even though I do not have NIS defined in my nsswitch.conf
Here's my nsswitch.conf:
passwd: sss files systemd
group: sss files systemd
netgroup: sss files
automount: sss files
services: sss files
shadow: files sss
hosts: files dns myhostname
aliases: files
ethers: files
gshadow: files
networks: files dns
protocols: files
publickey: files
rpc: files
Here's my /etc/pam.d/gdm-smartcard:
auth substack smartcard-auth
auth include postlogin
account required pam_nologin.so
account sufficient pam_localuser.so
account include smartcard-auth
#password include smartcard-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include smartcard-auth
session include postlogin
Here's my /etc/pam.d/smartcard-auth:
# Generated by authselect on Tue Nov 9 17:18:21 2021
# Do not modify this file manually.
auth required pam_env.so
auth [default=1 success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [success=done default=ignore] pam_sss.so ignore_authinfo_unavail require_cert_auth
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Here's my /etc/pam.d/postlogin:
# Generated by authselect on Tue Nov 9 17:18:21 2021
# Do not modify this file manually.
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed
And my "dconf dump /":
[org/gnome/settings-daemon/plugins/media-keys]
logout=''
[org/gnome/login-screen]
enable-smartcard-authentication=true
enable-password-authentication=true
enable-fingerprint-authentication=false
[org/gnome/desktop/screensaver]
lock-delay=uint32 1
lock-enabled=true
[org/gnome/desktop/session]
idle-delay=uint32 600
I get the feeling I'm close to cracking this one and it's probably something silly I am missing and truth is this is my first time dealing with SSSD in detail.
Hope one of you smart cookies knows what I'm messing up!
Best regards,
-Leon
1 year, 7 months
