On Fri, Mar 04, 2016 at 05:20:00PM +0100, Hauke Fath wrote:
[re-sent after subscribing with my sender address]
All,
I am working on deploying sssd to a number of Debian Linux
workstations, and it's slow-going... and I could use some help.
The workstations mount users' homes and a few public shares over NFS,
using automount. User information, automounter maps etc are shared
through NIS. Besides caching, easy switching of backends (say, to
Kerberos and LDAP) is why I want to move to sssd. But it looks like NIS
support is a bit under-documented.
The installed ssd version ("wheezy-backports") is
# dpkg-query -l sssd
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii sssd 1.11.7.3-3~b amd64 System Security Services
Daemon -
#
Debian updates pam.d/common-*
# fgrep sss /etc/pam.d/*
/etc/pam.d/common-account:account [default=bad success=ok
user_unknown=ignore] pam_sss.so
/etc/pam.d/common-auth:auth [success=1
default=ignore] pam_sss.so use_first_pass
/etc/pam.d/common-password:password
sufficient pam_sss.so
/etc/pam.d/common-session:session
optional pam_sss.so
#
and nsswitch.conf, funny enough by appending the sss modules
# fgrep sss /etc/nsswitch.conf
passwd: files nis sss
group: files nis sss
shadow: files nis sss
netgroup: nis sss
sudoers: files sss
#
and does not install any /etc/sssd/sssd.conf, so the system is broken
after installing sssd and friends.
My sssd.conf is
[sssd]
config_file_version = 2
reconnection_retries = 3
debug_level = 0x0070
services = nss, pam
domains = spgnts
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 0x0070
[pam]
reconnection_retries = 3
pam_verbosity = 3
debug_level = 0x0070
[domain/spgnts]
debug_level = 0x0070
enumerate = true
id_provider = proxy
proxy_lib_name = nis
min_id = 500
auth_provider = proxy
proxy_pam_target = none
-- if there is any further configuration detail you consider relevant
to the issue, please let me know.
When I start all this, things work until I take out the 'nis' entries
from nsswitch.conf. To my understanding, as long as they are in,
queries never go to the nss_sss module.
Once I take out the 'nis' entries, I can log in as root on the console,
I can log in as a regular user over ssh (public key auth), but all
other login attempts time out. kdm mutters about pam_setcred() problems
on the console.
The /var/log/sssd/* logs are voluminous, but virtually free of any
helpful information. Upon login, sssd appears to start a bunch of
proxy_child processes, which hang there until timeout, at which point
they get killed. I tried copying a commandline from ps, and strace a
proxy_child invocation, but the trace didn't speak to me.
I have searched the web far and wide, but there is little more than lip
service to using the proxymodule, much less NIS. As of now, my hunch is
the problem lies with PAM - how do you configure the domain's
auth_provider for NIS? I came across "#proxy_auth_target =
nis_pam_proxy", but it wasn't documented.
Thanks for reading this far; any comments are most welcome!
Cheerio,
Hauke
I haven't configured NIS myself for a very long time, but before logins
start working, sssd must be able to retrieve user information. I presume
"getent passwd -s sss $nisuser" doesn't return anything using this
configuration? It might be interesting to see the logs when you request
the user..
If you want to start testing just identity w/o authentication, you can
start with:
auth_provider = none