Bug: Trying to get hostent from a name-less server / Server without name and address found in list.
by Anthony Joseph Messina
After upgrading to sssd-2.4.1-1.fc33.x86_64, I began seeing the following in my sssd_be log:
Bug: Trying to get hostent from a name-less server
Server without name and address found in list.
These entries occur at the time a user logins into cyrus-imapd via saslauthd.
salsauthd uses the PAM backend, which uses SSSD. I increased the log-level and
see the following, but am not sure how to interpret it, or if this is really an
issue. There are no problems with the users logging into cyrus-imapd.
Any pointers are appreciated. Thanks.
Feb 16 10:17:52 sssd_be[724]: Marking port 0 of duplicate server 'ipa.example.com' as 'working'
Feb 16 10:17:52 sssd_be[724]: DP Request [PAM Preauth #18362]: Request handler finished [0]: Success
Feb 16 10:17:52 sssd_be[724]: DP Request [PAM Preauth #18362]: Receiving request data.
Feb 16 10:17:52 sssd_be[724]: DP Request [PAM Preauth #18362]: Request removed.
Feb 16 10:17:52 sssd_be[724]: Number of active DP request: 1
Feb 16 10:17:52 sssd_be[724]: sssd.dataprovider.pamHandler: Success
Feb 16 10:17:52 sssd_be[724]: Constructed uri 'ldap://ipa.example.com'
Feb 16 10:17:52 sssd_be[724]: Bug: Trying to get hostent from a name-less server
Feb 16 10:17:52 sssd_be[724]: Server without name and address found in list.
Feb 16 10:17:52 sssd_be[724]: All data has been sent!
--
Anthony - https://messinet.com
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
3 years, 2 months
problem obtaining kerberos ticket with sssd
by mbalembo
Hello,
I have trouble obtaining a kerberos ticket when loggin with sssd.
in /var/log/sssd/krb5_child.log i get the line :
[[sssd[krb5_child[9521]]]] [unpack_buffer] (0x0100): cmd [241] uid
[10007] gid [10000] validate [false] enterprise principal [true] offline
[false] UPN [USER@MYDOMAIN]
My problem is i need to restart the service to switch this to "offline
[false]".
(Note that authentication works otherwise, it's just the kerberos ticket
that is missing).
Maybe I missed an option to set the update rate ?
Thanks,
Marc
3 years, 2 months
sdap_save_user Failed to save user?
by Lachlan Simpson
Hi,
I'm having trouble getting results with IPA and SSSD, so I'm starting from first principles.
Running on RHEL 8.3, I have an IPA server (idm) and a test client (idm-test), with one way trusts to the company AD - both their adtest.company.com and production ad.company.com
I can't get id or ssh working on idm-test, so I went back to the IPA server to see if I can get id resolution there. This is what I'm seeing in /var/log/sssd/sssd_test.linux.company.com.log:
(2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_save_user] (0x0020): Failed to save user [z3530577(a)ad.company.com]
Here are the longer details
ipaserver = FreeIPA 4.8.7, SSSD 2.3.0
domain = test.linux.company.com
trusts = adtest.company.com, ad.company.com
[root@idm ~]# sssctl domain-list
implicit_files
test.linux.company.com
adtest.company.com
ad.company.com
[root@idm ~]# sssctl domain-status adtest.company.com
Online status: Online
...
[root@idm ~]# sssctl domain-status ad.company.com
Online status: Online
...
chronyd is set up against ntp.company.com
[root@idm ~]# id z3530577(a)adtest.company.com
uid=13530577(z3530577(a)adtest.company.com) gid=5000(company(a)test.linux.company.com) groups=5000(company(a)test.linux.company.com)
[root@idm ~]# getent passwd z3530577(a)adtest.company.com
z3530577@adtest.company.com:*:13530577:5000:Rajkumar Theeban:/home/adtest.company.com/z3530577:/bin/bash
[root@idm ~]# id z3530577(a)ad.company.com
id: ‘z3530577(a)ad.company.xn--com-to0a: no such user
[root@idm ~]# id z3530577(a)ad.company.com
id: ‘z3530577(a)ad.company.xn--com-to0a: no such user
As you can see, the user in ad.company.com can't be found.
Here is the log file /var/log/sssd/sssd_test.linux.company.com.log with more context /var/log/sssd/sssd_test.linux.company.com.log
(2021-02-15 10:43:17): [be[test.linux.company.com]] [sss_domain_get_state] (0x1000): Domain ad.company.com is Active
(2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(userPrincipalName=z3530577(a)ad.company.com
)(mail=z3530577@ad.company.com)(userPrincipalName=z3530577\\@ad.company.com@AD.company.com))(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=ad,dc=unsw,dc=edu,dc=
au].
(2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ad.company.com/CN=Configuration,DC=a
d,DC=unsw,DC=edu,DC=au
(2021-02-15 10:43:17): [be[test.linux.company.com]] [generic_ext_search_handler] (0x4000): Ref: ldap://ad.company.com/CN=Configuration,DC=ad,DC=unsw,DC=edu,DC=au
(2021-02-15 10:43:17): [be[test.linux.company.com]] [sss_domain_get_state] (0x1000): Domain ad.company.com is Active
(2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_save_user] (0x0400): Processing user z3530577(a)ad.company.com
(2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_save_user] (0x1000): Mapping user [z3530577(a)ad.company.com] objectSID [S-1-5-21-1140405718-358989843-3445714
273-3730445] to unix ID
(2021-02-15 10:43:17): [be[test.linux.company.com]] [sdap_save_user] (0x0020): Failed to save user [z3530577(a)ad.company.com]
(2021-02-15 10:43:17): [be[test.linux.company.com]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [z3530577(a)ad.company.com] found.
3 years, 2 months
sudo (with sssd) command duration 50ms -> 400ms performance degradation
by Judd Gaddie
Hi, We have noticed a performance regression on some of our boxes when we upgraded from
Ubuntu 18.04 (sssd 1.16.1-1ubuntu1.7) (sudo 1.8.21p2) -> Ubuntu 20.04 (sssd
2.2.3-3ubuntu0.1) (sudo 1.8.31) (however it was not universal, some Ubuntu 20.04 boxes are
fine) joined to a FreeIPA domain.
We have noticed the following line takes a long when turned on sudo debug logging (not
sure if this is red hearing) sudo_pam_approval @ ../../../plugins/sudoers/auth/pam.c:330
Any idea what may cause this, or something to try would be much appreciated?
see benchmark
Ubuntu 18.04
./hyperfine "sudo -u user true" --warmup 5
Benchmark #1: sudo -u trans true
Time (mean ± σ): 51.0 ms ± 24.6 ms [User: 5.7 ms, System: 3.5 ms]
Range (min … max): 42.1 ms … 236.7 ms 60 runs
Ubuntu 20.04
Benchmark #1: sudo -u user true
Time (mean ± σ): 436.0 ms ± 36.1 ms [User: 15.2 ms, System: 14.7 ms]
Range (min … max): 407.4 ms … 534.3 ms 10 runs
3 years, 2 months
Announcing SSSD 2.4.1
by Pavel Březina
# SSSD 2.4.1
The SSSD team is proud to announce the release of version 2.4.1 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.4.1
See the full release notes at:
https://sssd.io/docs/users/relnotes/notes_2_4_1
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* `SYSLOG_IDENTIFIER` was renamed to `SSSD_PRG_NAME` in journald output,
to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output.
### New features
* New PAM module `pam_sss_gss` for authentication using GSSAPI
* `case_sensitive=Preserving` can now be set for trusted domains with AD
provider
* `case_sensitive=Preserving` can now be set for trusted domains with
IPA provider. However, the option needs to be set to `Preserving` on
both client and the server for it to take effect.
* `case_sensitive` option can be now inherited by subdomains
* `case_sensitive` can be now set separately for each subdomain in
`[domain/parent/subdomain]` section
* `krb5_use_subdomain_realm=True` can now be used when sub-domain user
principal names have upnSuffixes which are not known in the parent
domain. SSSD will try to send the Kerberos request directly to a KDC of
the sub-domain.
### Important fixes
* krb5_child uses proper umask for DIR type ccaches
* Memory leak in the simple access provider
* KCM performance has improved dramatically for cases where large amount
of credentials are stored in the ccache.
### Packaging changes
* Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page
### Configuration changes
* New default value of `debug_level` is 0x0070
* Added `pam_gssapi_check_upn` to enforce authentication only with
principal that can be associated with target user.
* Added `pam_gssapi_services` to list PAM services that can authenticate
using GSSAPI
3 years, 2 months