sssd-users February 2021

sssd-users@lists.fedorahosted.org

12 participants
19 discussions

session unlock with smartcard stops working when updating shared library
by Winberg Adam 23 Feb '21

23 Feb '21

We're using a third party shared library for communication with our smartcards, using RHEL 8.3. SSSD uses p11 to communicate with the cards, this works fine. But, when I update the third party lib file to a new version, I can no longer unlock my Gnome session with the smart card. Debug logs shows the following in p11_child.log: (2021-02-22 7:55:07): [p11_child[3059726]] [main] (0x0010): --module_name, --token_name and --key_id must be given for authentication (2021-02-22 7:55:07): [p11_child[3059726]] [main] (0x0020): p11_child failed! And in sssd_pam.log: (2021-02-22 7:55:07): [pam] [parse_p11_child_response] (0x1000): No certificate found. (2021-02-22 7:55:07): [pam] [pam_forwarder_cert_cb] (0x0020): No certificate returned, authentication failed. I can use the smartcard for other actions, like sudo and logging in to a new session, but not to unlock the existing session. It's like some session specific data no longer is available or no longer matches when the lib file has changed on disk. This makes it really hard to update the lib file on our users computers, seeing as doing so will effectively lock them out of their sessions. Does anyone recognize this behaviour and is there anything I can do to avoid it? Regards Adam Winberg

2 4

Bug: Trying to get hostent from a name-less server / Server without name and address found in list.
by Anthony Joseph Messina 20 Feb '21

20 Feb '21

After upgrading to sssd-2.4.1-1.fc33.x86_64, I began seeing the following in my sssd_be log: Bug: Trying to get hostent from a name-less server Server without name and address found in list. These entries occur at the time a user logins into cyrus-imapd via saslauthd. salsauthd uses the PAM backend, which uses SSSD. I increased the log-level and see the following, but am not sure how to interpret it, or if this is really an issue. There are no problems with the users logging into cyrus-imapd. Any pointers are appreciated. Thanks. Feb 16 10:17:52 sssd_be[724]: Marking port 0 of duplicate server 'ipa.example.com' as 'working' Feb 16 10:17:52 sssd_be[724]: DP Request [PAM Preauth #18362]: Request handler finished [0]: Success Feb 16 10:17:52 sssd_be[724]: DP Request [PAM Preauth #18362]: Receiving request data. Feb 16 10:17:52 sssd_be[724]: DP Request [PAM Preauth #18362]: Request removed. Feb 16 10:17:52 sssd_be[724]: Number of active DP request: 1 Feb 16 10:17:52 sssd_be[724]: sssd.dataprovider.pamHandler: Success Feb 16 10:17:52 sssd_be[724]: Constructed uri 'ldap://ipa.example.com' Feb 16 10:17:52 sssd_be[724]: Bug: Trying to get hostent from a name-less server Feb 16 10:17:52 sssd_be[724]: Server without name and address found in list. Feb 16 10:17:52 sssd_be[724]: All data has been sent! -- Anthony - https://messinet.com F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6

2 3

Announcing SSSD 2.4.2
by Pavel Březina 19 Feb '21

19 Feb '21

# SSSD 2.4.2 The SSSD team is proud to announce the release of version 2.4.2 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.4.2 See the full release notes at: https://sssd.io/docs/users/relnotes/notes_2_4_2 RPM packages will be made available for Fedora shortly. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users ## Highlights ### General information * Default value of 'user' config option was fixed into accordance with man page, i.e. default is 'root' * Example systemd service configs now makes use of CapabilityBoundingSet option as a security hardening measure. ### New features * `pam_sss_gss` now support authentication indicators to further harden the authentication ### Configuration changes * Added `pam_gssapi_indicators_map` to configure authentication indicators requirements

1 0

problem obtaining kerberos ticket with sssd
by mbalembo 17 Feb '21

17 Feb '21

Hello, I have trouble obtaining a kerberos ticket when loggin with sssd. in /var/log/sssd/krb5_child.log i get the line : [[sssd[krb5_child[9521]]]] [unpack_buffer] (0x0100): cmd [241] uid [10007] gid [10000] validate [false] enterprise principal [true] offline [false] UPN [USER@MYDOMAIN] My problem is i need to restart the service to switch this to "offline [false]". (Note that authentication works otherwise, it's just the kerberos ticket that is missing). Maybe I missed an option to set the update rate ? Thanks, Marc

3 3

sdap_save_user Failed to save user?
by Lachlan Simpson 16 Feb '21

16 Feb '21

Hi, I'm having trouble getting results with IPA and SSSD, so I'm starting from first principles. Running on RHEL 8.3, I have an IPA server (idm) and a test client (idm-test), with one way trusts to the company AD - both their adtest.company.com and production ad.company.com I can't get id or ssh working on idm-test, so I went back to the IPA server to see if I can get id resolution there. This is what I'm seeing in /var/log/sssd/sssd_test.linux.company.com.log: (2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_save_user] (0x0020): Failed to save user [z3530577(a)ad.company.com] Here are the longer details ipaserver = FreeIPA 4.8.7, SSSD 2.3.0 domain = test.linux.company.com trusts = adtest.company.com, ad.company.com [root@idm ~]# sssctl domain-list implicit_files test.linux.company.com adtest.company.com ad.company.com [root@idm ~]# sssctl domain-status adtest.company.com Online status: Online ... [root@idm ~]# sssctl domain-status ad.company.com Online status: Online ... chronyd is set up against ntp.company.com [root@idm ~]# id z3530577(a)adtest.company.com uid=13530577(z3530577(a)adtest.company.com) gid=5000(company(a)test.linux.company.com) groups=5000(company(a)test.linux.company.com) [root@idm ~]# getent passwd z3530577(a)adtest.company.com z3530577@adtest.company.com:*:13530577:5000:Rajkumar Theeban:/home/adtest.company.com/z3530577:/bin/bash [root@idm ~]# id z3530577(a)ad.company.com id: ‘z3530577(a)ad.company.xn--com-to0a: no such user [root@idm ~]# id z3530577(a)ad.company.com id: ‘z3530577(a)ad.company.xn--com-to0a: no such user As you can see, the user in ad.company.com can't be found. Here is the log file /var/log/sssd/sssd_test.linux.company.com.log with more context /var/log/sssd/sssd_test.linux.company.com.log (2021-02-15 10:43:17): [be[test.linux.company.com]] [sss_domain_get_state] (0x1000): Domain ad.company.com is Active (2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(userPrincipalName=z3530577(a)ad.company.com )(mail=z3530577@ad.company.com)(userPrincipalName=z3530577\\@ad.company.com@AD.company.com))(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=ad,dc=unsw,dc=edu,dc= au]. (2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ad.company.com/CN=Configuration,DC=a d,DC=unsw,DC=edu,DC=au (2021-02-15 10:43:17): [be[test.linux.company.com]] [generic_ext_search_handler] (0x4000): Ref: ldap://ad.company.com/CN=Configuration,DC=ad,DC=unsw,DC=edu,DC=au (2021-02-15 10:43:17): [be[test.linux.company.com]] [sss_domain_get_state] (0x1000): Domain ad.company.com is Active (2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_save_user] (0x0400): Processing user z3530577(a)ad.company.com (2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_save_user] (0x1000): Mapping user [z3530577(a)ad.company.com] objectSID [S-1-5-21-1140405718-358989843-3445714 273-3730445] to unix ID (2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_save_user] (0x0020): Failed to save user [z3530577(a)ad.company.com] (2021-02-15 10:43:17): [be[test.linux.company.com]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [z3530577(a)ad.company.com] found.

2 2

Re: [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts
by Rudi Dayan 15 Feb '21

15 Feb '21

1 1

Re: [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts
by Rudi Dayan 12 Feb '21

12 Feb '21

Hello, I am using the email because it s easier to send attachments here. I separated the log to the section before the terminal ask the user password, and the section after enter the domain password. Thanks, Rudi Sent from Mail for Windows 10

2 1

sudo (with sssd) command duration 50ms -> 400ms performance degradation
by Judd Gaddie 09 Feb '21

09 Feb '21

Hi, We have noticed a performance regression on some of our boxes when we upgraded from Ubuntu 18.04 (sssd 1.16.1-1ubuntu1.7) (sudo 1.8.21p2) -> Ubuntu 20.04 (sssd 2.2.3-3ubuntu0.1) (sudo 1.8.31) (however it was not universal, some Ubuntu 20.04 boxes are fine) joined to a FreeIPA domain. We have noticed the following line takes a long when turned on sudo debug logging (not sure if this is red hearing) sudo_pam_approval @ ../../../plugins/sudoers/auth/pam.c:330 Any idea what may cause this, or something to try would be much appreciated? see benchmark Ubuntu 18.04 ./hyperfine "sudo -u user true" --warmup 5 Benchmark #1: sudo -u trans true Time (mean ± σ): 51.0 ms ± 24.6 ms [User: 5.7 ms, System: 3.5 ms] Range (min … max): 42.1 ms … 236.7 ms 60 runs Ubuntu 20.04 Benchmark #1: sudo -u user true Time (mean ± σ): 436.0 ms ± 36.1 ms [User: 15.2 ms, System: 14.7 ms] Range (min … max): 407.4 ms … 534.3 ms 10 runs

2 3

Announcing SSSD 2.4.1
by Pavel Březina 05 Feb '21

05 Feb '21

# SSSD 2.4.1 The SSSD team is proud to announce the release of version 2.4.1 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.4.1 See the full release notes at: https://sssd.io/docs/users/relnotes/notes_2_4_1 RPM packages will be made available for Fedora shortly. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users ## Highlights ### General information * `SYSLOG_IDENTIFIER` was renamed to `SSSD_PRG_NAME` in journald output, to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output. ### New features * New PAM module `pam_sss_gss` for authentication using GSSAPI * `case_sensitive=Preserving` can now be set for trusted domains with AD provider * `case_sensitive=Preserving` can now be set for trusted domains with IPA provider. However, the option needs to be set to `Preserving` on both client and the server for it to take effect. * `case_sensitive` option can be now inherited by subdomains * `case_sensitive` can be now set separately for each subdomain in `[domain/parent/subdomain]` section * `krb5_use_subdomain_realm=True` can now be used when sub-domain user principal names have upnSuffixes which are not known in the parent domain. SSSD will try to send the Kerberos request directly to a KDC of the sub-domain. ### Important fixes * krb5_child uses proper umask for DIR type ccaches * Memory leak in the simple access provider * KCM performance has improved dramatically for cases where large amount of credentials are stored in the ccache. ### Packaging changes * Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page ### Configuration changes * New default value of `debug_level` is 0x0070 * Added `pam_gssapi_check_upn` to enforce authentication only with principal that can be associated with target user. * Added `pam_gssapi_services` to list PAM services that can authenticate using GSSAPI

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users February 2021