On Tue, Oct 06, 2015 at 03:40:45PM +0200, liedekef(a)telenet.be wrote:
(sorry for top-osting, but using a webmail client for now).
Here's my config (some obfuscation done):
[sssd]
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam, ssh, sudo
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LOCAL,LDAP
domains = LDAP
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root,ldap,named,avahi,haldaemon,messagebus,dbus,vcsa,ntp
reconnection_retries = 3
# The entry_cache_nowait_percentage indicates the percentage of the
# entry_cache_timeout to wait before updating the cache out-of-band.
# (NSS requests will still be returned from cache until the full
# entry_cache_timeout). Setting this value to 0 turns this feature
# off (default).
# entry_cache_nowait_percentage = 300
Since you do not have re_expression tuned, any query in the form of
foo@bar gets split into (name=foo, domain=bar) and if there's no domain
bar, then sssd just shortcuts and returns ENOENT.
Can you try adding::
re_expression = (?P<name>.+)
to the [sssd] section? That essentially tells sssd that the whole input
string is a username. The downside is that you won't be able to use
multiple domains..
[sudo]
[pam]
reconnection_retries = 3
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
access_provider = ldap
ldap_access_filter = memberOf=cn=xxxx
ldap_uri = ldap://server1.fqdn, ldap://server2.fqdn
ldap_search_base = dc=xxxx
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_timeout = 5
ldap_referrals = false
ldap_user_ssh_public_key = sshPublicKey
ldap_sudo_search_base = ou=SudoEntries,dc=xxx
ldap_sudorule_runasuser = sudoRunAs
cache_credentials = true
enumerate = true
entry_cache_timeout = 5400
Franky
----- Original Message -----
From: "Jakub Hrozek" <jhrozek(a)redhat.com>
To: sssd-users(a)lists.fedorahosted.org
Sent: Tuesday, October 6, 2015 2:48:02 PM
Subject: Re: [SSSD-users] sssd nss call fails if group has "@" in it
On Tue, Oct 06, 2015 at 02:34:58PM +0200, Lukas Slebodnik wrote:
> On (06/10/15 14:17), liedekef(a)telenet.be wrote:
> >Hi,
> >
> >it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64,
I'm hitting a bug with nss if a group contains "@" in it's cn (auth done
via LDAP):
> >
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer
re-set for client [0x13ac330][20]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer
re-set for client [0x13ac330][20]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [33] with input [sudo_sasfdr@FFF-AP-dev].
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x41df60:domains@LDAP]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending
get domains request for [LDAP][FFF-AP-dev]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x41df60:domains@LDAP]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn:
0x1397ab0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply
from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target
is not configured
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13a07b0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event
0x13ab1d0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13a07b0 "ltdb_timeout"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x13ab1d0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x139bbc0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event
0x13ab1d0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x139bbc0 "ltdb_timeout"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x13ab1d0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13a07b0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13ab1d0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event
0x13a07b0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13ab1d0 "ltdb_timeout"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x13a07b0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid
name received [sudo_sasfdr@FFF-AP-dev]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x41df60:domains@LDAP]
> >
> >At first I thought it was an LDAP issue, but changing the name to
sudo_sasfdr_FFF-AP-dev worked just fine.
> >The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem,
but maybe now the "@" is considered a domain-delimiter?
> >
> >Currently as a workaround, I switched back to LDAP for sudo-queries (it's
either that or change over 200 groups in LDAP and the master provisioning system), since
it seems so far only sudo rules are impacted for now.
> >
> >If anybody can point me to a config param to get the old behaviour back , I
wouldvery much appreciate it.
> >Or, if it is no longer supported, then I need to start writing ldap-renames ...
> >
> >With friendly regards,
> >
> Could you share your configuration file?
> We would need to know which data provider you have configured ...
>
> sssd uses "@" as a separator for name and domain.
> you can find more details in manual page sssd.conf -> re_expression
> So you can just use different regular expression to avoid such
> problems. But I wonder how it could work with 1.11.x
This is something that should work, we use the configuration in the
'legacy client' scenario where the FQDNs are already present in the
compat tree and we need to avoid splitting them, but rather match
against the compat tree..
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users