Help with pam_sss_gss.so
by Sam Morris
I have two Debian systems, and using pam_sss_gss.so for sudo works fine on one of them, but not the other.
Both have SSSD 2.4.1 installed and are joined to FreeIPA domains.On the system where it works, the user is defined in the FreeIPA domain.
On the system where it doesn't work, my user is an AD trust user.
Here's what I get from sssd_pam.log:
(2021-04-01 10:54:52): [pam] [server_common_rotate_logs] (0x0010): Debug level changed to 0x07f0
(2021-04-01 10:54:52): [pam] [sbus_issue_request_done] (0x0400): sssd.service.rotateLogs: Success
(2021-04-01 10:55:00): [pam] [accept_fd_handler] (0x0400): Client [0x55b162023b40][19] connected to privileged pipe!
(2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Received client version [3].
(2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Offered version [3].
(2021-04-01 10:55:00): [pam] [cache_req_send] (0x0400): CR #6: New request 'User by name'
(2021-04-01 10:55:00): [pam] [cache_req_process_input] (0x0400): CR #6: Parsing input name [sam.morris(a)example.net]
(2021-04-01 10:55:00): [pam] [sss_parse_name_for_domains] (0x0200): name 'sam.morris(a)example.net' matched expression for domain 'example.net', user is sam.morris
(2021-04-01 10:55:00): [pam] [cache_req_set_name] (0x0400): CR #6: Setting name [sam.morris]
(2021-04-01 10:55:00): [pam] [cache_req_select_domains] (0x0400): CR #6: Performing a single domain search
(2021-04-01 10:55:00): [pam] [cache_req_search_domains] (0x0400): CR #6: Search will check the cache and check the data provider
(2021-04-01 10:55:00): [pam] [cache_req_set_domain] (0x0400): CR #6: Using domain [example.net]
(2021-04-01 10:55:00): [pam] [cache_req_prepare_domain_data] (0x0400): CR #6: Preparing input data for domain [example.net] rules
(2021-04-01 10:55:00): [pam] [cache_req_search_send] (0x0400): CR #6: Looking up sam.morris(a)example.net
(2021-04-01 10:55:00): [pam] [cache_req_search_ncache] (0x0400): CR #6: Checking negative cache for [sam.morris(a)example.net]
(2021-04-01 10:55:00): [pam] [cache_req_search_ncache] (0x0400): CR #6: [sam.morris(a)example.net] is not present in negative cache
(2021-04-01 10:55:00): [pam] [cache_req_search_cache] (0x0400): CR #6: Looking up [sam.morris(a)example.net] in cache
(2021-04-01 10:55:00): [pam] [cache_req_search_send] (0x0400): CR #6: Returning [sam.morris(a)example.net] from cache
(2021-04-01 10:55:00): [pam] [cache_req_search_ncache_filter] (0x0400): CR #6: This request type does not support filtering result by negative cache
(2021-04-01 10:55:00): [pam] [cache_req_create_and_add_result] (0x0400): CR #6: Found 1 entries in domain example.net
(2021-04-01 10:55:00): [pam] [cache_req_done] (0x0400): CR #6: Finished: Success
(2021-04-01 10:55:00): [pam] [pam_cmd_gssapi_init_done] (0x0400): Trying GSSAPI auth: User[sam.morris(a)example.net], Domain[example.net], UPN[Sam.Morris(a)EXAMPLE.NET], Target[host(a)myself.ipa.example.net]
(2021-04-01 10:55:00): [pam] [pam_cmd_gssapi_init_done] (0x0400): Returning [0]: Success
(2021-04-01 10:55:00): [pam] [client_recv] (0x0400): Invalid data from client, closing connection!
(2021-04-01 10:55:00): [pam] [accept_fd_handler] (0x0400): Client [0x55b162039780][19] connected to privileged pipe!
(2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Received client version [3].
(2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Offered version [3].
(2021-04-01 10:55:00): [pam] [client_recv] (0x0400): Invalid data from client, closing connection!
There's nothing particularly special about the PAM & SSSD setup; /etc/pam.d/sudo starts with "auto sufficient pam_sss_gss.so", and sssd.conf in the [pam] sectiion has "pam_gssapi_services = sudo".
I can use strace to see exactly what data is being received by sssd_pam from pam_sss_gss.so but I don't know what sensitive data might be within so I don't want to post it here. I can provide it privately if it would help.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
3 years
struggling with reuse of pam_sss kerberos ticket
by Calvin Chiang
Ex-windows admin wrapping my head around PAM/SSSD has been quite tough!
I have successfully managed to to get pam_sss working with
- login for specific appliction rstudio server (/etc/pam.d/rstudio)
- containerized ubuntu
- ldap/krb5 auth
- against Microsoft Active Directory
- without domain join realmd. (so all hand-configured. ouch)
the problem is with reuse of the ticket. i cant work out how it works..
I would like to configure pam_mount and ODBC to use the same kerberos
ticket that was generated by the pam_sss modules
so
pam_sss creates a ticket with the follwoing naming which *cannot be used by
the "mount" command*:
/tmp/krb5cc_uid_xxxx
however if i manually use kinit, it creates a ticket with the naming below,
which *can be easily reuse from the "mount" command*:
/tmp/krb5cc_uid
the naming that pam_sss uses seems to be standard but again i just cant
work out how that should be "discoverable" by any other services looking
for a ticket, when it has the wrong naming..
some links..:
this seems to be where the pam_sss naming is defined - by a build flag
--with-default-ccname-template
https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337
i want to integrate it into pam_mount to mount a cifs drive, which (i
think) is SMB so will be able to use the cifs.upcall library.
And the way cifs.upcall resolves tickets is somehwere here in
get_cachename_from_process_env
https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260
i also want to get MSSQL ODBC driver to use the ticket as well...
3 years